cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can subscribe to a forum, label or individual post and receive email notifications when someone posts a new topic or reply. Learn more! X

How to hide Thingworx Appkey, Composer?

CHASEONHO
18-Opal

How to hide Thingworx Appkey, Composer?

Hi i have 2 question about Thingworx

 


1. Change URL
How can AppKey show mashups without being exposed?

 

2. Protect Composer page
Users typically go to the squal page if no home mashup is specified.
However, you can go directly to the Composer page by entering Composer directly.
Customers do not want it. Can I prevent a user other than a specific user or administrator from entering the Composer page?
Or can I replace the URL that currently enters the Composer page(<host>:<port>/Thingworx/Composer) with a specific format(<host>:<port>/IoT/<SomeKeyValue>/Composer)?

 

Thanks

ACCEPTED SOLUTION

Accepted Solutions

Thank you for answer.
But I wanted was to make it possible for specific user, not everyone, to go to the composer page.
To solve this problem, I found a way to limit access to the composer page through Tomcat configuration.
Tomcat's remote address configuration allows only the local host to access the composer page
thank

View solution in original post

6 REPLIES 6
PaiChung
22-Sapphire I
(To:CHASEONHO)

For appkeys the security is really in the limited permissions you assign to it, to only accomplish the tasks necessary.

As such these aren't generally recommended for Session based interactions like Mashups.

You can in certain use cases justify it, like general display boards or registration.

The recommended way to 'hide' it is to have it in the header of a call and not in the URL

 

For composer you can now set up user profiles such that if they do end up in composer they have no menus available to them.

 

I would also set up an organization to apply visibility so they can only see what they need to.

Thank you for your reply.


What you learn from your answer is that it seems preferable to use Appkey to communicate with ThingWorx and not to use it to show mashups.

 

I think user can not access the composer's page is a better way than by modifying the user's profile that hiding the left-hand collection of the composer's page or using the organization to limit visibility

 

Could you change the URL of the composer page?
I am wondering if there is any way to change / Thingworx / Composer /.
I wonder if I can change the proposition called Composer to access the composer page with another proposition.

 

Now, I approach the composer page through the address / Thingworx / Composer.
But can I change to access the composer's page through / Thingworx / <Some Value>?

Thank you.

PaiChung
22-Sapphire I
(To:CHASEONHO)

We do not recommend moving/removing/aliasing whatever people might do to remove composer.

I understand the concern, but the only people that would end up in composer if you properly set redirects or home mashups is if they intentionally / specifically navigate to that link (<server>/Thingworx/Composer)

For regular end users I think that is rare, and if some of them do know Thingworx, they would go there because they are curious or ... trying to hack :D.

So properly setting up permissions and the profile will help with that.

Thank you for answer.
But I wanted was to make it possible for specific user, not everyone, to go to the composer page.
To solve this problem, I found a way to limit access to the composer page through Tomcat configuration.
Tomcat's remote address configuration allows only the local host to access the composer page
thank

Hi CHASEONHO,

 

Can you pls share the setting that  you have set in Tomcat?  I have same requirement as your to stop the some users from accessing the composer.

 

 

Thanks. 

 

This can be done by modifying Tomcat's web.xml.
Open the web.xml under a conf in the Tomcat installation directory with a text editor (I used Notepad ++).
Add the following syntax:
(Search for "Built In Filter Mappings" and add it)

<filter>
      <filter-name> Remote Address Filter </ filter-name>
      <filter-class> org.apache.catalina.filters.RemoteAddrFilter </ filter-class>
      <init-param>
        <param-name> allow </ param-name>
        <!-- Write the IP to allow access here. -->
        <param-value> 127 \. \ d + \. \ d + \. \ d + | :: 1 | 0: 0: 0: 0: 0: 0: 0: 1 | 66 \ .12 \ .8 \ .45 < / param-value>
    </ init-param>
    </ filter> -


  <!-- ==================== Built In Filter Mappings ====================== -->

  <!-- The mapping for the HTTP header security Filter -->
    <filter-mapping>
      <filter-name> Remote Address Filter </ filter-name>
      <!-- Write a url pattern that only IPs that are allowed to access can be connected -->
      <url-pattern> / Composer / * </ url-pattern>
      <url-pattern> / Squeal / * </ url-pattern>
    </ filter-mapping>

PS
You may also refer to the following site.
https://geekflare.com/tomcat-http-security-header/

Announcements


Top Tags