I have ProfoundUI set up using SSL so our clients can connect remotely. It works great, they can go to "https://examplesite.com/client", and it runs the Alias pointing to Profound UI's "start.html". Also have it set up so if they try to access it using "http://", it will rewrite and force "https://". Our clients then use a general IBM profile (same for all clients) to log in and get presented with a second logon screen. This second logon is where their access level gets determined. This is all working great.
One thing I noticed though, is they can go to "https://examplesite.com/profoundui/designer" and it will prompt for the IBM profile. If they enter the general IBM profile that was created for the above use, it'll load up Visual Designer. This is not good.
Is there a way in the HTTP configuration to block "/profoundui/designer" for external access, but still allow it for local/internal access? Or am I going about this the wrong way? I could remove the designer Alias, but then I wouldn't be able to access the designer at all, even locally.
Perhaps the ability to restrict Visual Designer to only certain user profiles?
Any help is greatly appreciated. Thanks,
-RC
External Designer Access
-
- Profound User
- Posts: 62
- Joined: Wed May 05, 2010 10:13 am
- First Name: Russell
- Last Name: Craig
- Company Name: Applied Business Services
- Phone: 252-482-7666
- Address 1: 617 Soundside Rd
- City: Edenton
- State / Province: North Carolina
- Zip / Postal Code: 27932
- Country: United States
- Location: Edenton, NC
- Contact:
External Designer Access
There are 10 types of people in this world: Those who understand binary and those who don't.
- David
- Profound Logic Staff Member
- Posts: 690
- Joined: Fri Jan 04, 2008 12:11 pm
- First Name: David
- Last Name: Russo
- Company Name: Profound Logic Software
- Contact:
Re: External Designer Access
You could disallow the general IBM i profile from accessing the designer program using system authorities. Would this help?
The designer is a normal system object, PROFOUNDUI/PUI0001100 *PGM. You can set authorities on this in the normal way to control access by profile.
If you set the generic IBM i profile to *EXCLUDE on this object, they should then get a 403 - Not Authorized error if they attempt to sign into the designer with this profile.
The designer is a normal system object, PROFOUNDUI/PUI0001100 *PGM. You can set authorities on this in the normal way to control access by profile.
If you set the generic IBM i profile to *EXCLUDE on this object, they should then get a 403 - Not Authorized error if they attempt to sign into the designer with this profile.
-
- Profound User
- Posts: 62
- Joined: Wed May 05, 2010 10:13 am
- First Name: Russell
- Last Name: Craig
- Company Name: Applied Business Services
- Phone: 252-482-7666
- Address 1: 617 Soundside Rd
- City: Edenton
- State / Province: North Carolina
- Zip / Postal Code: 27932
- Country: United States
- Location: Edenton, NC
- Contact:
Re: External Designer Access
Object authorities! Duh!
That's exactly what I needed. I now have the designer limited to a single profile.
Huzzah for more security :-P
Thanks!
-RC
That's exactly what I needed. I now have the designer limited to a single profile.
Huzzah for more security :-P
Thanks!
-RC
There are 10 types of people in this world: Those who understand binary and those who don't.
Who is online
Users browsing this forum: No registered users and 2 guests