WebFOCUS User Authentication Options

The first step in securing a WebFOCUS application is to require each user to provide credentials before being allowed into the application.

In most cases, it is desirable to authenticate users once and configure the WebFOCUS environment so that the context of the user is propagated to subsequent components. This is convenient for the user, who provides ID and password only once to use the application.

You can use a wide variety of authentication options depending on where you want the authentication to take place and what authentication provider you intend to use. The credentials can be verified internally or using an external authentication provider.

Internal authentication uses the native authentication routines of a WebFOCUS component, such as the WebFOCUS Reporting Server or Managed Reporting. The WebFOCUS Reporting Server, by default, uses operating system logon credentials for authentication. Managed Reporting, by default, authenticates against credentials stored in the Managed Reporting Repository.

In addition, Web servers can be configured to act as an intermediary between WebFOCUS and some of these external repositories. The Web server performs authentication and sets the REMOTE_USER variable, which WebFOCUS then passes to its components using trusted mode. (Web server authentication is described in Configuring Managed Reporting for Trusted or External Authentication.) Web server authentication can be used with the internal Managed Reporting Repository or an external repository.

No Authentication

Users are not required to provide credentials. This is useful for displaying public information that requires no personalization.

Authentication on the Web Tier

The Web server issues an HTTP 401 challenge for credentials, which results in the browser prompting for a user ID and password. These credentials are not stored in a cookie but stay in browser memory and are passed to the Web server in an HTTP header with each request. To protect the credentials, the entire session should be conducted over HTTPS. This authentication takes place prior to accessing WebFOCUS. WebFOCUS trusts that authentication has taken place without displaying a logon page that asks for the credentials of a user. For more information about configuring this Trusted authentication, see Configuring Managed Reporting for Trusted or External Authentication.

Authentication on the Web tier enables all applications on that Web server (not only WebFOCUS applications) to take advantage of a single logon. Passwords and their security are handled by the Web server itself or the Web server in conjunction with a third-party security application. This type of authentication is readily integrated with LDAP and operating system security.

Web authentication can be used with the WebFOCUS internal security model, or it can be implemented with the following types of external security:

Third-party security package authentication. Typically, a third-party security program is plugged into the Web server to intercept requests prior to general processing by the Web server. After authentication, the third-party package places the identity of the user in the Web server environment variable REMOTE_USER, WF_REMOTE_USER, or an HTTP header. For more information, see Configuring Managed Reporting for Trusted or External Authentication.
Third-party environment portal. WebFOCUS Open Portal Services supports Microsoft SharePoint, BEA WebLogic, and Plumtree. These portals authenticate the user and can be configured to securely pass the user ID to WebFOCUS to achieve single sign-on. For information on Open Portal Services, see the WebFOCUS Open Portal Services Administrator's Manual.

Authentication by the WebFOCUS Reporting Server

By default, the WebFOCUS Client passes credentials to the WebFOCUS Reporting Server for authentication when Managed Reporting is not installed. (Managed Reporting can also be configured for authentication by the Reporting Server. For information about configuring Managed Reporting for Reporting Server authentication, see Configuring Managed Reporting for Trusted or External Authentication.)

If the WebFOCUS Client does not pass credentials to the WebFOCUS Reporting Server, the WebFOCUS Reporting Server can prompt for credentials. For information, see Setting Authentication Credentials.

The WebFOCUS Reporting Server has several authentication options:

Operating System. By default, the WebFOCUS Reporting Server verifies credentials against the security package of the local operating system. This type of authentication is implemented if you have not configured a different security mode and if the server has been granted sufficient privileges to run in this mode. In this configuration, the server allocates a data access agent that fully impersonates the connected user so that access control to files or other objects is guaranteed by the native system.
DBMS. The WebFOCUS Reporting Server can be configured to pass the credentials to a relational database for authentication. This type of authentication is implemented by the Reporting Server setting EDAEXTSEC=DBMS. In this configuration, there is no need for common user IDs, and the Reporting Server opens agents with the RDBMS user ID.
LDAP. A WebFOCUS Reporting Server on UNIX or Windows can be configured to pass the credentials to an LDAP directory for authentication. This type of authentication is implemented by the Reporting Server setting EDAEXTSEC=LDAP. In this configuration, there is no impersonation of the user.
Custom Solution. You can implement a WebFOCUS Reporting Server PVUIDXT exit to perform authentication. For more information about this technique, see Developing a Reporting Server Authentication Exit.

Determining Which Authentication Method to Use

The most fundamental element of security is identifying and authenticating the credentials of a user. Sites may choose an authentication method based on existing third-party repositories already in use by other applications on the Web server or by analyzing their weaknesses and placing authentication at the most vulnerable point.

Frequently, different requirements for authentication exist at different points within an application. It is important to consider the following early in the planning phase:

Decisions about the specific method of authentication. These decisions include which passwords are stored and where they are stored in the environment, when these codes expire, and how many characters or digits are allowed.
Where the authentication should occur. Most likely, the decision about where authentication should occur will be made based on which platforms have the most robust security enforcement and the most sensitive data. Authentication may take place when logging on to the operating system, while a further layer of authentication might be required when accessing an application, such as WebFOCUS. In another example, authentication may take place when logging on to the operating system, while the application then allows all previously authenticated users to access resources without reauthenticating (this is called "trusted" authentication).
The number of times a user will be asked to log on. The perspective of the user should also be taken into account to minimize the number of disruptions in processing and passwords to be remembered.