Community Tip - Learn all about PTC Community Badges. Engage with PTC and see how many you can earn! X
Hi,
IoT Application user should not be able to login to TW composer at all. Is this possible? I created a user with no permissions at all including removed from everyone organization. But user can still login to composer, but can not see anything.
So can we setup a user who is meant to access only runtime mashup or services, but no access at all to TW composer?
Regards
Satish
If the link the user is trying to access is, say localhost/Thingworx, the user would get redirected to either the SQUEAL interface or Composer based on the permissions. The only thing I can think of is using the Organizations Form Login and redirecting the user to a specific Home Mashup.
Hi Aanjan, after redirected the user to a specific Home Mashup, he still can change the URL link to access to Composer right ?
Yep, you can add a custom link/ button (anything that accepts a link) to go to the Composer.
And that's the problem..
Only way how to restrict access to composer is to create a Realm in Tomcat and protect the web-resource. Here is an older example how to do that, it should be still valid though. Using Tomcat 4 Security Realms - O'Reilly Media
If not here is a complete Real config HowTo:
Hi, the Realm can protect the webapp ThingWorx with an user access, but I don't know how it can prevent Composer access.
You might take a look at something called Valves, which they can be configured in context.xml. That should allow access (or deny) on IP or Hostname basis.
But if security matters to you deeply, you should run the Thingworx server behind Firewall some sort (PFsense, etc..). You will gain great deal of control over it.
But direct support for that in Thingworx would be also great.
Add this section in your web.xml (located under Thingworx folder in Tomcat). It will allow access to Composer via localhost only (or what ever, based on java.util.regex). (Apache Tomcat 7 Configuration Reference (7.0.67) - Container Provided Filters)
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/Composer/*</url-pattern>
</filter-mapping>
Hi,
Thank you for your answer. I tried the Remote Address Filter. I allow my own IP address (10...., not localhost) but it doesn't work...
Could you send me your regexp? I will try it on my end. What version of Tomcat are running?
In fact, I had a small syntax error. It works now ! While trying to open Composer page from another adress IP, I had "HTTP Status 403 ... Access to the specified resource has been forbidden".
Thank you !
I think I'll do the same with Squel, Things ...
You can create quite complex rules with RegExp. Be carefull with Things though. If you have remote system(s) which is(are) using TW resources vie it's REST, filter may block it. I have not tested it yet.
In a production environment is always good idea to use additional systems as secure layer (firewall, proxy, etc.). You can install Tomcat on top of Apache (as AMP stack). That way you can use .htaccess file(s) and it's syntax to secure it on provider level.
Can you mark that question as answered?
As I'm not the owner of this discussion, I can't mark the answer. Only Satish can do that...
By the way, what do you mean by "install Tomcat on top of Apache" and "use .htaccess to secure it on provider level" ?
Normaly the Tomcat is used as "stand-alone" scenario. Which is perfectly good for Thingworx (only). Problem with that is that:
So you can take a prebuild AMP stack like a XAMPP for Windows or LAMP for Linux and with proper configuration you can use Apache for serving the static/dynamic web content (html,php,perl what have you) and use Tomcat as a Servlet/JSP add-on.
You can take a look here (Tomcat-Apache HOWTO) that is older guide, but as a knowledgebase it should be of some use.
Hi,
I modified the web.xml for remote address filter, but then Thingworx is not getting launched. Can you please let me know how did you do this?
Thanks
Nagnath
Hi,
you could probably go through the log files. Perhaps its a syntax error in your xml file.
Hi Tomas,
Is it possible to precise a port in <param-value>, for example "127.0.0.1:8443" ? I'd like to allow access to Composer only on the port 8443. In Valve, it's "127.0.0.1;8443", but there's not the parameter "url-pattern".
I believe you could create an authenticator to do what you are looking at doing, write custom code to error out if trying to get to composer if not a valid user for composer.
Hi Keri, do you mean authenticator like an ThingWorx user or a Tomcat user ?