Understanding Security and PMF

In this section:

PMF is a WebFOCUS application designed to run within security protocols as configured for WebFOCUS MR/CUS (Information Builders’ named-user system). It is not designed to run for public or general users. Instead, it identifies its users so that appropriate task permissions and data security can be enforced.

Top of page

Authentication and Authorization Between Web, MR/CUS, and PMF

Users must sign on through whatever system handles primary web login. When the user credentials are passed to WebFOCUS MR/CUS security, by whatever means is used (for example, direct submission of the credentials via a standard WebFOCUS sign-on page), MR/CUS either confirms the identity of the user and allows access for a valid session, or denies the user access because some part of their credentials do not match.

Once a user is logged in to the MR/CUS system, WebFOCUS turns control over to any intermediate portal layer (for example, WebFOCUS BID portal or a SharePoint or WebSphere portal). The PMF contexts are then called. At this point, both a WebFOCUS and MR cookie have been created (or their equivalent session IDs). Control is then passed to PMF, which validates the specific access of the user to the PMF application itself (the user must be identified using an Owner record in PMF). If the user is authorized, a WFUSER cookie is created, which contains the information specific to the PMF session of the user.

Diagram showing Authentification and Authorization between Web, MR-CUS, and PMF

Top of page

External Security Repository

If you have WebFOCUS MR configured to use an external security system (such as one based on LDAP, RACF, or ActiveDirectory), no special configuration needs to be made for your system to work with PMF. The MR security layer handles the authentication portion of the sign-on process. Once this is allowed, the user then proceeds normally into the portal and from there to the PMF application.

In the greatest sense, PMF is “unaware” of the actual protocols used to authenticate users. However, it is not possible for a user without proper authentication credentials to access critical data or perform any change control functions within the PMF application.

Top of page

Webserver Security

Web server security (for example, HTTPS) can generally be used with PMF. PMF obtains the protocol initialization information from WebFOCUS Client and uses what WebFOCUS tells it to.

Special notice must be made in situations where you have a mixed web environment. For example, some web resources are delivered using HTTPS and others using HTTP. Note that as with any secure web application, PMF will use only the protocol used during initial sign-on. It cannot support mixed protocol access.

There are situations where a user has aliased web resources. The most common is using the localhost protected server name during access. If you mix server contexts when using PMF, you will be liable to create cross-site scripting errors with PMF. This happens because much of the PMF user interface is done using JavaScript. The sandbox protocols for JavaScript do not allow scripts to be launched from different server contexts.

This is important in protecting you and your users from various forms of JavaScript injection attacks, which can seriously compromise security. Please take note of this and adjust your use of your web environment to respect common security protocols accordingly.

Top of page

WebFOCUS Server Security

PMF can run under both unsecured or secured WebFOCUS Reporting Server environments. You would most commonly set up your WebFOCUS Reporting Server to treat the WebFOCUS Client as a trusted node in order to avoid more common security pitfalls and provide the best results. However, you can vary your security as needed.

In situations where the authenticated OS user credentials are being passed through to the WebFOCUS server (as would happen in particular situations where some older FOCUS applications were ported to WebFOCUS), note that all PMF users would then need to be in the OS network bindery (for example, ActiveDirectory or LDAP) before they would be permitted to access the WebFOCUS Server resources needed to run PMF.

For example, security protocols under the WebFOCUS Server of OPSYS and IWA running a secured server can interfere with any WebFOCUS application if the end user is not authenticated to run against the Operating System or ActiveDirectory binderies. Please ensure you have taken the proper steps to provide your users with access to the PMF application and the ability for the WebFOCUS server to support their use.