Defining Security Settings

How to Define Security Settings

The first step when configuring the web publishing security framework is to define the security features you want to use.

1. Display the Web Projects Control Panel.

2. Click Web Security to display the Web Security dialog. Picture

   

3. Assuming that you have not previously defined any security settings, the first step is to create the initial security settings files. Select Web Security Configuration and click OK. The Security Settings dialog will appear. Picture

   

4. Enable (check) the Security Policy > Security Active property.

5. Enable (check) the Security Policy > Password Required property. A large number of additional properties will appear.

6. Click in the Security Policy > Redirect Page - login property and select "Login.a5w".

7. Click in the Security Policy > Redirect Page - insufficient permission property and select "Login.a5w".

8. Click in the Login Options > Redirect Page after Login property and select "Menu.a5w".

9. Select "User ID Field Value" in the User ID Options > User ID Configuration property.

10. Click in the User ID Options > User ID Validation Rules property to display the User ID Validation dialog.

    • 1. Enter "4" into the Data Length > Minimum Length property.

    • 2. Enter "12" into the Data Length > Maximum Length property.

    • 3. Click OK.

11. Enter alphafive into the Password Options > Password encryption key property.

12. Click in the Password Options > Password Validation Rules property to display the Password Validation dialog.

    • 1. Enable (check) the Text Format > Allow digits property.

    • 2. Enter "4" into the Data Length > Minimum Length property.

    • 3. Enter "12" into the Data Length > Maximum Length property.

    • 4. Click OK.

13. Open the customize options by expanding the option. Picture

    • 

    • 1. Enable (check) the Customize Options > Show external user identifier field property. This is also called the 'ulink' field.

    • 2. Enter "__protected__user_identifier" into the Customize Options > Session variable for identifier field property.

    • 3. Click OK.

14. Click Save.

15. If you have neglected to set any required properties, a dialog similar to the following will appear. Click OK and correct these errors. Picture

    

Security Settings

Security Policy

• Security Active

  If security is not activated, all objects and actions will be available to all users without restrictions. If security is active, the security system is base on membership in a group. The options are:

  • Activated (checked)
  • Not Activated

• Password Required

  Login with a User ID and password is required to access some or all pages. The options are:

  • Password required (checked)
  • No password required

• Redirect Page - Login

  Display this page if login is required to access a selected page and no one is legged in. Click to display the Select Page dialog.

• Redirect Page - Insufficient Permission

  Optional. Display this page if a user id logged in but does not have sufficient permission to prevent access a selected page. Click to display the Select Page dialog.

Login Options

• Login Expiration Policy

  Define when the user's login policy will expire. The options are:

  Policy

  Related Properties

  Defined time after last page access

  Set the Login Expiration Time, Remember Me Option, and Remember Me Policy

  Defined time after initial login

  Set the Login Expiration Time, Remember Me Option, and Remember Me Policy

  Expires when the user closes their browser

  Set the Locked Out Action

  Expires when the current session expires

• Login Expiration Time

  This property contains the time interval required by the Login Expiration Policy. Click to display the Expiration Time dialog.

• Remember Me Option

  The Remember Me option enables the capability to provide an automatic login. If the option is enabled, the user can select to save their login information in a tracking cookie. This information will be automatically retrieved whenever login is required. The option is only available if the login expiration policy is for a specified time. The options are:

  • Enabled (checked)
  • Not enabled

• Lockout After Failed Attempts

  This property defines the number of times a user can try to login unsuccessfully before they are locked out of the application. Set to 0 to allow unlimited attempts.

• Locked Out Action

  Defines the action that is taken when a user is locked out. The options are:

  Action

  Related Properties

  Wait for a period of time

  Set the Locked Out Message and Locked Out Wait Time

  Redirect to another page

  Set the Locked Out Redirect Page

  Lock out User Until reset by administrator

  Set the Locked Out Wait Time to indefinite.

• Locked Out Message

  This property defines the message that they user will see when locked out.

• Locked Out Wait Time

  This property defines the interval that the user will have to wait before another login attempt. Click to display the Expiration Time dialog.

• Locked Out Redirect Page

  Select the page to display if the user is locked out. Click to display the Select Page dialog.

• Login activity file

  Define whether to save login activity to a text file. The options are:

  • Save login activity (checked) - Set the Login Activity Log Folder
  • Do not save login activity

• Login Activity log save to

  If you enabled the Login Activity File, specify where the activity log file will be saved. The options are:

  Location

  Description

  Data Folder

  Login activity is saved in the data folder.

  Project target folder

  Login activity is saved to the project target folder.

  User defined function

  Login activity is sent to a user defined Xbasic function that handles the data.

• Login Redirect Option

  Specify the action to take after a successful login. The options are:

  Option

  Description

  Same page for all logins

  send all users the same page after login

  Current page

  keep the user on the page containing the login

  Page assigned by user

  Set the Redirect Page After Login

• Redirect Page After Login

  If the a redirect page is not defined in the current user's profile, this property specifies the page to display after a successful login. Click to display the Select Page dialog.

User ID Options

• User ID Configuration

  This property defines the type of user ID to use. The options are:

  Option

  Related Properties

  Email Address

  Set the User ID Error Message

  User ID Field Value

  Set the User ID Validations Rule

• User ID Error Message

  Appears only if the User ID Configuration was set to "Email Address". This property defines the message to display if the user ID is not a valid email address.

• User ID Validations Rule

  Appears only if the User ID Configuration was set to "User ID Field Value". This property defines the way to validate a user ID. Click to display the UserID Validation dialog.

Password Options

• Password Encryption

  Specify whether a new password should be encrypted before saving it in the user table. The options are:

  • Checked = encrypt password before save
  • Not Checked - save in clear text

• Password Encryption Key

  Enter the encryption key to use if encryption is desired. Key must be a minimum of 8 characters

• Allow Password Change at Login

  Specify whether to allow the user to change his or her password at login. The options are:

  • Yes (checked) - Set Password Validation Rules
  • No

• Password Validation Rules

  Define the way to validate a user ID. Click to display the Password Validation dialog.

• Password Expires?

  Specify whether passwords will expire. When the current password expires, the user must enter a new password. The options are:

  • Yes (checked) - Set Password Expiration Time
  • No

• Password Expiration Time

  This property defines the length of time that a password will last before it expires. Click to display the Expiration Time dialog.

• Password Restricted Re-use

  This property defines the number of old passwords that are saved in a restricted list and cannot be re-used. When you add a new password to the list, the system removes the oldest password. A value of 0 will allow any password to be re-used without restriction. A value of 1 requires only that a new password not match the current password.

• Password Restricted Re-use Message

  Message to show if user entered a restricted password.

Lost Data Recovery Options

• Allow User ID Recovery

  Specify whether to allow a user to recover his or her user ID when it has been lost. The options are:

  • Yes (checked) - Set Data Required for Recovery
  • No

• Data Required for Recovery

  Specify the information required to recover a user ID. You will also need to have an email field in the user security table. See User Table Field Map. The options are:

  Option

  Description

  Valid Email Address

  User must provide a valid email address to recover a user ID.

  Valid Email Address & security question

  User must provide both a valid email address and answer a security question.

• Lost Password Action

  Specify whether to allow a user to recover his or her password when it has been lost. The options are:

  Action

  Description

  Not Allowed

  Password recovery is not permitted.

  Recover Password

  Original password can be recovered.

  Reset Password

  Will create system generated single use password.

• Data Required for Password Reset / Recovery

  Specify the information that must be entered to identify the user in order to recover or reset his or her password. The options are:

  Valid Email Address

  ""

  Valid User ID

  ""

  Valid User ID & Email

  Valid User ID & Security Question

  Valid Email Address & Security Question

• Lost Data Recovery Method

  This property defines the method used to recover a lost user ID or password. The options are:

  Show on Screen

  Displays the recovery information in the browser.

  Create Email link on page

  Displays an email link that will allow the user to send a pre-configured email request to a predefined address.

  Send Email to User

  Configure Email to Send to User with User ID, Configure Email to Send to User with Password, and Configure Email Request from User. The Send User ID with Password? property must be configured.

• Lost Data Recovery Alternative Method

  This is the method to use if you selected "Send Email to User" for the Lost Data Recovery Method property, but the server does not support email. The options are:

  Show on Screen

  Display the recovery information in the browser.

  Create Email link on page

  Display an email link that will allow the user to send a pre-configured email request to a predefined address.

• Send User ID with Password?

  Send both User ID and Password in the same message? The options are:

  • Yes (checked)
  • No - The user will receive 2 emails if the recovery process was used to find his or her user ID.

• Configure Email to Send to User with User ID

  Click to display the Create Email to Send to User with User ID dialog.

• Configure Email to Send to User with Password

  Click to display the Create Email to Send to User with Password dialog.

• Configure Email Request from User

  Click to display the Create Login Request Email FROM User dialog.

• Security Questions

  Click to display the Login Recovery Security Questions dialog.

Customize Options

• Default security group

  Defines the default security group(s) assigned to a new user record. The default group is only used if the new user is not assigned any security groups when the account is created. The default group is added to new users by a process running on the Application Server.

• Enable External User Identifier Field

  Enables a special user table field named "ulink". User records may exist in tables outside of the security system. The field 'ulink' can be used to enter a user identifier value from a user record in an external table to 'link' that user to a web user security record.

• Session Variable for Identifier Field

  (Optional) Enter the name of a session variable to contain the value from the 'ulink' field. If the security framework is on, the session variable will always exist for every page. The variable value will be blank if no one is logged on, or contain a 'ulink' value from the logged in user record, if a value exists for that user.

• Prompt to Display for Identifier Field

  Enter the prompt to display on the Users and Groups dialog for the 'ulink' field. The name can describe the source of the value.

• User Verification Field Values Required

  This option is available if a feature that allows a user to recover lost login information is enabled. A user will be able to recover their login information if they can identify themselves by answering the security questions. The security questions are called the 'User Verification Fields'. When a new user is added to the Users table, or when an existing user's information is edited, you can specify if the User Verification Fields, MUST be entered, or if they are OPTIONAL. The options are:

  • Required (Checked) when adding/editing records in the Users table via a Web form or function.
  • Required (Checked) when adding/editing records in the Users table via a Desktop dialog.

• User ID not Unique Error Message

  Used ID values must be unique. This message will display if the User ID entered already exists in the user table. This message is only used in a web component.

• User File - Required Data Missing

  This message is displayed if required data is missing when saving a new or changed user record. This message is only used in a web component.

• Password - Confirm Password Doesn't Match

  This message is only displayed if an optional 'confirm_password' value doesn't match the entered password. This message is only used in a web component.

• Enable component security for 'virtual pages'

  Components embedded in an A5W page use the pages' security setting when security is enabled. When a component is displayed without using an A5W page, however, using other methods such as Action Javascript, a 'virtual page' is created to display the component. In this scenario, no security is applied to component -- the security is set to 'Always Allowed' -- because the page that the component is rendered on was dynamically created at run-time.

  The default security for virtual pages is 'Always Allowed'. The Enable component security for 'virtual pages' can be used turn on component-level security. When enabled, component level security is turned on. Component security allows you to define the security settings for each component and report in your project.

  As with A5W pages, the default security for components and Reports on virtual pages when Enable security for 'virtual pages' has been turned on is 'Always Denied'.

• Enable security at component level for AJAX components

  If checked, security settings for components and Reports will be applied on all pages, both virtual pages and A5W pages. If the user accesses a component for which they do not have permissions to view, even if they are allowed to access the A5W page on which the component is embedded, the component will not be rendered and a 403 error will be shown instead.

  All components opened using Action Javascript or on virtual pages always use the component security permissions if component security is enabled.

  This option is only available if Enable component security for 'virtual pages' has been enabled.

• Ask browser to not cache requests requiring login

  If enabled, the browser will turn off caching for any page, component, or report that requires login. This only applies to request for items that require login to view. In most circumstances, this forces the browser to make a new request for a page when the back or forward button is used in the web browser.

  Caching will still be permitted when security is turned off or if the page or component security is set to 'Always Allowed'.

• Cache lifetime (in seconds)

  Security settings are cached on the server for improved speed and are not automatically updated when new security settings are published. The Cache lifetime (in seconds0 determines how often the server checks for updates to the security system. A value of 300 will allow the server to check for new settings every 5 minutes. Set the value to 0 to never check for updates.

  Cache lifetime does not apply to the Application Server for IIS.

Configuring Page and Component Security Settings

The third step when implementing the Web Security framework is to define the security for components, reports, and pages. Security for a component, report, or page can be one of three types:

Security Setting

Description

Always Denied

Access is denied to everyone. By default, access is set to "Always Denied" for all components, reports, and pages when security is first enabled or when a new component, report, or page is created.

Always Allowed

Anyone can access the component, report, or page without logging in.

Login Required

The user must be logged in and belong to the specified security groups that have been given access to the component, report, or page.

For more information about configuring pages, folders, components, and reports, see the following:

• Configuring Page and Folder Security
• Configuring Component and Report Security