cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - When posting, your subject should be specific and summarize your question. Here are some additional tips on asking a great question. X

How to safely give access to ThingWorx platform to final client ?

qn
12-Amethyst
12-Amethyst

How to safely give access to ThingWorx platform to final client ?

Hi,

This is a part of several methods I must use to secure the ThingWorx deployment and production. The ThingWorx platform is based on our server. My final clients will have access and use the mashup created from ThingWorx. Do you have an idea how to do it safely ? Of course there are some users created for different clients.

Here are some problems:

- Giving the direct link of FormLogin / Mashup to client: they can simply modifiy the link to have access of Composer for example. Even if they can't modify my Things, my DataShapes ..., it's better to not giving access to Composer. Is there something to do with the group Users in the organization Everyone ?

- Trying to place the Mashup in an iframe: web page source code shows the link "src" of iframe. It is possible to hide it ?

- Only allow access to Composer with the Tomcat filter "Remote Address Filter" (https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#Remote_Address_Filter): when giving my IP address (10.19....., not localhost), I can't open any page of ThingWorx.

Thank you in advance for your answers. Maybe finding a solution for this problem could help others too.

Quang-Dung

ACCEPTED SOLUTION

Accepted Solutions
qn
12-Amethyst
12-Amethyst
(To:qn)

I found out that I should simply add others groups to Everyone organization. So I can login with different users.

Remove group User and add specific groups to Everyone organization is just to be sure to enable FormLogin only for some specific users and groups of users.

View solution in original post

5 REPLIES 5
Aanjan
12-Amethyst
(To:qn)

I believe 'hiding' the Composer or removing visibility to the Composer is one of the features that has been requested to add to ThingWorx 7.x release. I'll be able to give you more information on that front once I get any.

*Edit*

Regarding the Remote Address Filter, once you add that, can you access Tomcat manager? Even if that doesn't open, maybe it has something to do with the port.

qn
12-Amethyst
12-Amethyst
(To:Aanjan)

Regarding the Remote Address Filter, I had some problems with Tomcat ROOT indeed. I tried with another VM and Remote Address Filter works, as described in  Prevent composer access to TW users​.

I think I will do the same with Squeal, Things ...

qn
12-Amethyst
12-Amethyst
(To:qn)

Now I have another issue in order to secure the ThingWorx platform. As I saw once in PTC University, I remove the group Users from the organization Everyone.

After that, All of users created can's access to ThingWorx through "/ThingWorx/FormLogin". I only receive the error: "Credentials do not match a valid username-password combination for this Organization. Please try again." Even the default user "Administrator" can't login. Every user belongs to at least one group which belongs to only one organization.

When I add the group Users to the Organization. All user login work again.

Can someone please tell me what must I do in order to remove the group Users from the organization Everyone and should I do that.

qn
12-Amethyst
12-Amethyst
(To:qn)

I found out that I should simply add others groups to Everyone organization. So I can login with different users.

Remove group User and add specific groups to Everyone organization is just to be sure to enable FormLogin only for some specific users and groups of users.

keriw
12-Amethyst
(To:qn)

Hi,

The above would have worked but you needed to go the User's specific formlogin page for instance if you had an Organization called MotorBay then you would login in via:

/Thingworx/Composer/FormLogin/MotorBay

Announcements


Top Tags