Solved: Re: How to safely give access to ThingWorx platfor...

qn · ‎Jan 13, 2016

Hi,

This is a part of several methods I must use to secure the ThingWorx deployment and production. The ThingWorx platform is based on our server. My final clients will have access and use the mashup created from ThingWorx. Do you have an idea how to do it safely ? Of course there are some users created for different clients.

Here are some problems:

- Giving the direct link of FormLogin / Mashup to client: they can simply modifiy the link to have access of Composer for example. Even if they can't modify my Things, my DataShapes ..., it's better to not giving access to Composer. Is there something to do with the group Users in the organization Everyone ?

- Trying to place the Mashup in an iframe: web page source code shows the link "src" of iframe. It is possible to hide it ?

- Only allow access to Composer with the Tomcat filter "Remote Address Filter" (https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#Remote_Address_Filter): when giving my IP address (10.19....., not localhost), I can't open any page of ThingWorx.

Thank you in advance for your answers. Maybe finding a solution for this problem could help others too.

Quang-Dung

qn · ‎Jan 14, 2016

I found out that I should simply add others groups to Everyone organization. So I can login with different users.

Remove group User and add specific groups to Everyone organization is just to be sure to enable FormLogin only for some specific users and groups of users.

View solution in original post

Aanjan · ‎Jan 13, 2016

I believe 'hiding' the Composer or removing visibility to the Composer is one of the features that has been requested to add to ThingWorx 7.x release. I'll be able to give you more information on that front once I get any.

*Edit*

Regarding the Remote Address Filter, once you add that, can you access Tomcat manager? Even if that doesn't open, maybe it has something to do with the port.

qn · ‎Jan 14, 2016

Regarding the Remote Address Filter, I had some problems with Tomcat ROOT indeed. I tried with another VM and Remote Address Filter works, as described in Prevent composer access to TW users.

I think I will do the same with Squeal, Things ...

qn · ‎Jan 14, 2016

Now I have another issue in order to secure the ThingWorx platform. As I saw once in PTC University, I remove the group Users from the organization Everyone.

After that, All of users created can's access to ThingWorx through "/ThingWorx/FormLogin". I only receive the error: "Credentials do not match a valid username-password combination for this Organization. Please try again." Even the default user "Administrator" can't login. Every user belongs to at least one group which belongs to only one organization.

When I add the group Users to the Organization. All user login work again.

Can someone please tell me what must I do in order to remove the group Users from the organization Everyone and should I do that.

qn · ‎Jan 14, 2016

I found out that I should simply add others groups to Everyone organization. So I can login with different users.

Remove group User and add specific groups to Everyone organization is just to be sure to enable FormLogin only for some specific users and groups of users.

keriw · ‎Feb 09, 2017

Hi,

The above would have worked but you needed to go the User's specific formlogin page for instance if you had an Organization called MotorBay then you would login in via:

/Thingworx/Composer/FormLogin/MotorBay

How to safely give access to ThingWorx platform to final client ?

How to safely give access to ThingWorx platform to final client ?