cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

Prevent composer access to TW users

satish
1-Newbie

Prevent composer access to TW users

Hi,

IoT Application user should not be able to login to TW composer at all. Is this possible? I created a user with no permissions at all including removed from everyone organization. But user can still login to composer, but can not see anything.

So can we setup a user who is meant to access only runtime mashup or services, but no access at all to TW composer?

Regards

Satish

19 REPLIES 19
Aanjan
9-Granite
(To:satish)

If the link the user is trying to access is, say localhost/Thingworx, the user would get redirected to either the SQUEAL interface or Composer based on the permissions. The only thing I can think of is using the Organizations Form Login and redirecting the user to a specific Home Mashup.

qn
1-Newbie
1-Newbie
(To:Aanjan)

Hi Aanjan, after redirected the user to a specific Home Mashup, he still can change the URL link to access to Composer right ?

Aanjan
9-Granite
(To:qn)

Yep, you can add a custom link/ button (anything that accepts a link) to go to the Composer.

tcoufal
12-Amethyst
(To:Aanjan)

And that's the problem..

tcoufal
12-Amethyst
(To:satish)

Only way how to restrict access to composer is to create a Realm in Tomcat and protect the web-resource. Here is an older example how to do that, it should be still valid though. Using Tomcat 4 Security Realms - O'Reilly Media

If not here is a complete Real config HowTo:

Apache Tomcat 6.0 (6.0.44) - Realm Configuration HOW-TO

qn
1-Newbie
1-Newbie
(To:tcoufal)

Hi, the Realm can protect the webapp ThingWorx with an user access, but I don't know how it can prevent Composer access.

tcoufal
12-Amethyst
(To:qn)

You might take a look at something called Valves, which they can be configured in context.xml. That should allow access (or deny) on IP or Hostname basis.

But if security matters to you deeply, you should run the Thingworx server behind Firewall  some sort (PFsense, etc..). You will gain great deal of control over it.

But direct support for that in Thingworx would be also great.

tcoufal
12-Amethyst
(To:satish)

Add this section in your web.xml (located under Thingworx folder in Tomcat). It will allow access to Composer via localhost only (or what ever, based on java.util.regex). (Apache Tomcat 7 Configuration Reference (7.0.67) - Container Provided Filters)

<filter>
  <filter-name>Remote Address Filter</filter-name>
  <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
  <init-param>
  <param-name>allow</param-name>
  <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
  </init-param>
  </filter>
  <filter-mapping>
  <filter-name>Remote Address Filter</filter-name>
  <url-pattern>/Composer/*</url-pattern>
  </filter-mapping>

qn
1-Newbie
1-Newbie
(To:tcoufal)

Hi,

Thank you for your answer. I tried the Remote Address Filter. I allow my own IP address (10...., not localhost) but it doesn't work...

tcoufal
12-Amethyst
(To:qn)

Could you send me your regexp? I will try it on my end. What version of Tomcat are running?

qn
1-Newbie
1-Newbie
(To:tcoufal)

In fact, I had a small syntax error. It works now ! While trying to open Composer page from another adress IP, I had "HTTP Status 403 ... Access to the specified resource has been forbidden".

Thank you !

I think I'll do the same with Squel, Things ...

tcoufal
12-Amethyst
(To:qn)

You can create quite complex rules with RegExp. Be carefull with Things though. If you have remote system(s) which is(are) using TW resources vie it's REST, filter may block it. I have not tested it yet.

In a production environment is always good idea to use additional systems as secure layer (firewall, proxy, etc.). You can install Tomcat on top of Apache (as AMP stack). That way you can use .htaccess file(s) and it's syntax to secure it on provider level.

Can you mark that question as answered? 

qn
1-Newbie
1-Newbie
(To:tcoufal)

As I'm not the owner of this discussion, I can't mark the answer. Only Satish can do that...

By the way, what do you mean by "install Tomcat on top of Apache" and "use .htaccess to secure it on provider level" ?

tcoufal
12-Amethyst
(To:qn)

Normaly the Tomcat is used as "stand-alone" scenario. Which is perfectly good for Thingworx (only). Problem with that is that:

  1. Tomcat is not as fast as Apache when it comes to static pages.
  2. Tomcat is not as configurable as Apache.
  3. Tomcat is not as robust as Apache.
  4. There are many sites with long time investment in certain web servers, for example, sites that are using CGI scripts/Server API modules/perl/php.

So you can take a prebuild AMP stack like a XAMPP for Windows or LAMP for Linux and with proper configuration you can use Apache for serving the static/dynamic web content (html,php,perl what have you) and use Tomcat as a Servlet/JSP add-on.

You can take a look here (Tomcat-Apache HOWTO) that is older guide, but as a knowledgebase it should be of some use.

ngarad
5-Regular Member
(To:qn)

Hi,

I modified the web.xml for remote address filter, but then Thingworx is not getting launched. Can you please let me know how did you do this?

Thanks

Nagnath

tcoufal
12-Amethyst
(To:ngarad)

Hi,

you could probably go through the log files. Perhaps its a syntax error in your xml file.

qn
1-Newbie
1-Newbie
(To:tcoufal)

Hi Tomas,

Is it possible to precise a port in <param-value>, for example "127.0.0.1:8443" ? I'd like to allow access to Composer only on the port 8443. In Valve, it's "127.0.0.1;8443", but there's not the parameter "url-pattern".

keriw
1-Newbie
(To:satish)

I believe you could create an authenticator to do what you are looking at doing, write custom code to error out if trying to get to composer if not a valid user for composer.

qn
1-Newbie
1-Newbie
(To:keriw)

Hi Keri, do you mean authenticator like an ThingWorx user or a Tomcat user ?

Top Tags