cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Prevent composer access to TW users

Newbie

Prevent composer access to TW users

Hi,

IoT Application user should not be able to login to TW composer at all. Is this possible? I created a user with no permissions at all including removed from everyone organization. But user can still login to composer, but can not see anything.

So can we setup a user who is meant to access only runtime mashup or services, but no access at all to TW composer?

Regards

Satish

19 REPLIES 19

Re: Prevent composer access to TW users

If the link the user is trying to access is, say localhost/Thingworx, the user would get redirected to either the SQUEAL interface or Composer based on the permissions. The only thing I can think of is using the Organizations Form Login and redirecting the user to a specific Home Mashup.

Re: Prevent composer access to TW users

Only way how to restrict access to composer is to create a Realm in Tomcat and protect the web-resource. Here is an older example how to do that, it should be still valid though. Using Tomcat 4 Security Realms - O'Reilly Media

If not here is a complete Real config HowTo:

Apache Tomcat 6.0 (6.0.44) - Realm Configuration HOW-TO

Re: Prevent composer access to TW users

Hi, the Realm can protect the webapp ThingWorx with an user access, but I don't know how it can prevent Composer access.

Re: Prevent composer access to TW users

Hi Aanjan, after redirected the user to a specific Home Mashup, he still can change the URL link to access to Composer right ?

Re: Prevent composer access to TW users

You might take a look at something called Valves, which they can be configured in context.xml. That should allow access (or deny) on IP or Hostname basis.

But if security matters to you deeply, you should run the Thingworx server behind Firewall  some sort (PFsense, etc..). You will gain great deal of control over it.

But direct support for that in Thingworx would be also great.

Re: Prevent composer access to TW users

Yep, you can add a custom link/ button (anything that accepts a link) to go to the Composer.

Re: Prevent composer access to TW users

And that's the problem..

Re: Prevent composer access to TW users

Add this section in your web.xml (located under Thingworx folder in Tomcat). It will allow access to Composer via localhost only (or what ever, based on java.util.regex). (Apache Tomcat 7 Configuration Reference (7.0.67) - Container Provided Filters)

<filter>
  <filter-name>Remote Address Filter</filter-name>
  <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
  <init-param>
  <param-name>allow</param-name>
  <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
  </init-param>
  </filter>
  <filter-mapping>
  <filter-name>Remote Address Filter</filter-name>
  <url-pattern>/Composer/*</url-pattern>
  </filter-mapping>

Re: Prevent composer access to TW users

Hi,

Thank you for your answer. I tried the Remote Address Filter. I allow my own IP address (10...., not localhost) but it doesn't work...