External Designer Access

Use this board to ask questions or have discussions with other Rich Displays users.
Post Reply
RussCraig
Profound User
Posts: 62
Joined: Wed May 05, 2010 10:13 am
First Name: Russell
Last Name: Craig
Company Name: Applied Business Services
Phone: 252-482-7666
Address 1: 617 Soundside Rd
City: Edenton
State / Province: North Carolina
Zip / Postal Code: 27932
Country: United States
Location: Edenton, NC
Contact:

External Designer Access

Post by RussCraig »

I have ProfoundUI set up using SSL so our clients can connect remotely. It works great, they can go to "https://examplesite.com/client", and it runs the Alias pointing to Profound UI's "start.html". Also have it set up so if they try to access it using "http://", it will rewrite and force "https://". Our clients then use a general IBM profile (same for all clients) to log in and get presented with a second logon screen. This second logon is where their access level gets determined. This is all working great.

One thing I noticed though, is they can go to "https://examplesite.com/profoundui/designer" and it will prompt for the IBM profile. If they enter the general IBM profile that was created for the above use, it'll load up Visual Designer. This is not good.

Is there a way in the HTTP configuration to block "/profoundui/designer" for external access, but still allow it for local/internal access? Or am I going about this the wrong way? I could remove the designer Alias, but then I wouldn't be able to access the designer at all, even locally.

Perhaps the ability to restrict Visual Designer to only certain user profiles?

Any help is greatly appreciated. Thanks,
-RC
There are 10 types of people in this world: Those who understand binary and those who don't.
User avatar
David
Profound Logic Staff Member
Posts: 690
Joined: Fri Jan 04, 2008 12:11 pm
First Name: David
Last Name: Russo
Company Name: Profound Logic Software
Contact:

Re: External Designer Access

Post by David »

You could disallow the general IBM i profile from accessing the designer program using system authorities. Would this help?

The designer is a normal system object, PROFOUNDUI/PUI0001100 *PGM. You can set authorities on this in the normal way to control access by profile.

If you set the generic IBM i profile to *EXCLUDE on this object, they should then get a 403 - Not Authorized error if they attempt to sign into the designer with this profile.
RussCraig
Profound User
Posts: 62
Joined: Wed May 05, 2010 10:13 am
First Name: Russell
Last Name: Craig
Company Name: Applied Business Services
Phone: 252-482-7666
Address 1: 617 Soundside Rd
City: Edenton
State / Province: North Carolina
Zip / Postal Code: 27932
Country: United States
Location: Edenton, NC
Contact:

Re: External Designer Access

Post by RussCraig »

Object authorities! Duh!

That's exactly what I needed. I now have the designer limited to a single profile.

Huzzah for more security :-P

Thanks!
-RC
There are 10 types of people in this world: Those who understand binary and those who don't.
Post Reply

Who is online

Users browsing this forum: BrianRees and 3 guests