1-Visitor

Question

Prevent composer access to TW users

Forum|Forum|10 years ago
November 4, 2015
4 replies
8026 views

Hi,

IoT Application user should not be able to login to TW composer at all. Is this possible? I created a user with no permissions at all including removed from everyone organization. But user can still login to composer, but can not see anything.

So can we setup a user who is meant to access only runtime mashup or services, but no access at all to TW composer?

Regards

Satish

A

Aanjan

5-Regular Member

If the link the user is trying to access is, say localhost/Thingworx, the user would get redirected to either the SQUEAL interface or Composer based on the permissions. The only thing I can think of is using the Organizations Form Login and redirecting the user to a specific Home Mashup.

Q

qn_01

1-Visitor

Hi Aanjan, after redirected the user to a specific Home Mashup, he still can change the URL link to access to Composer right ?

A

Aanjan

5-Regular Member

Yep, you can add a custom link/ button (anything that accepts a link) to go to the Composer.

T

tcoufal

1-Visitor

Only way how to restrict access to composer is to create a Realm in Tomcat and protect the web-resource. Here is an older example how to do that, it should be still valid though. Using Tomcat 4 Security Realms - O'Reilly Media

If not here is a complete Real config HowTo:

Apache Tomcat 6.0 (6.0.44) - Realm Configuration HOW-TO

Q

qn_01

1-Visitor

Hi, the Realm can protect the webapp ThingWorx with an user access, but I don't know how it can prevent Composer access.

T

tcoufal

1-Visitor

You might take a look at something called Valves, which they can be configured in context.xml. That should allow access (or deny) on IP or Hostname basis.

But if security matters to you deeply, you should run the Thingworx server behind Firewall some sort (PFsense, etc..). You will gain great deal of control over it.

But direct support for that in Thingworx would be also great.

T

tcoufal

1-Visitor

Add this section in your web.xml (located under Thingworx folder in Tomcat). It will allow access to Composer via localhost only (or what ever, based on java.util.regex). (Apache Tomcat 7 Configuration Reference (7.0.67) - Container Provided Filters)

<filter> <filter-name>Remote Address Filter</filter-name> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> <init-param> <param-name>allow</param-name> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value> </init-param> </filter> <filter-mapping> <filter-name>Remote Address Filter</filter-name> <url-pattern>/Composer/*</url-pattern> </filter-mapping>

Q

qn_01

1-Visitor

Hi,

Thank you for your answer. I tried the Remote Address Filter. I allow my own IP address (10...., not localhost) but it doesn't work...

T

tcoufal

1-Visitor

Could you send me your regexp? I will try it on my end. What version of Tomcat are running?

K

keriw

1-Visitor

I believe you could create an authenticator to do what you are looking at doing, write custom code to error out if trying to get to composer if not a valid user for composer.

Q

qn_01

1-Visitor

Hi Keri, do you mean authenticator like an ThingWorx user or a Tomcat user ?

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded