8 Replies Latest reply on Jul 25, 2014 11:58 AM by grath

    Web Direct external authentication between multiple files

    grath

      Ok, I think I know the answer to this, but I hope someone has a workaround. I have a webdirect solution that connects to several different external files and the login credentials are generic (same for everyone). The web direct solution is a note entry system and when you enter a note it grabs the username so I can tell who entered the note. While this works within the company, because it grabs the system name of the computer, it's not the same for webdirect. Webdirect grabs the credentials you used to open the file and since I have generic credentials I can't tell who entered the note. From what I can tell I believe I will have to make an account for every web user in every file (which is several). While its not hard, its just a bunch of tedious work I would like to avoid. I know my security is lacking but this is how the system was handed to me when I started. Any suggestions ?

        • 1. Re: Web Direct external authentication between multiple files
          Mike_Mitchell

          Yeah. Do the tedious work.  

           

          If you want to do the "right thing" and capture the user name of the person entering the record (which it sounds like you do), and you know this is an issue of proper security (which it sounds like you do), then it's probably time to dig in and do what you already know you need to do. The good news is, you can automate account creation through scripting and it's really not that much work. Check the Accounts script steps in the Manage Scripts dialog for useful script steps to accomplish the task.

           

          HTH

           

          Mike

          • 2. Re: Web Direct external authentication between multiple files
            grath

            Well, at least I'll have plenty of work to do. Thanks for the help.

            • 3. Re: Web Direct external authentication between multiple files
              Mike_Mitchell

              To help with entering accounts across multiple files, it's useful to keep a table with account names (not passwords) in a central location. You can then pass the account name and password (as entered or generated) as parameters around to the various files, running scripts in those files to synchronize the accounts. You can also write scripts that you (as the developer) can run that can automate the generation of multiple accounts in a matter of just a few minutes. Have the system loop over the records, passing in the account name as you go. You can use a custom function to generate an initial password. Here's one example:

               

              Let (

              [      xSet = "ABCDEFGHJKLMNPQRSTUVWXYZ!@#$%&_?!@#$%&_?!@#$%&_?abcdefghijkmnpqrstuvwxyz123456789";    // some characters deliberately missing to avoid confusion

                     xLen = Length ( xSet )

              ];

               

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 ) &

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 ) &

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 ) &

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 ) &

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 ) &

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 ) &

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 ) &

                  Middle ( xSet ; Ceiling ( Random * xLen ) ; 1 )

               

              )

               

              (I don't remember where I got it from, or I'd give appropriate credit.) You can change the characters in the string (xSet) to adjust what characters you want to include in your generated passwords. Just add or remove Middle functions to change the length of the final result.

               

              Anyway, key things to keep in mind:

               

              1) Don't store the passwords in the table. Not necessary, and a security risk.

              2) Use parameters to pass the values around between the files.

              3) You'll have to predefine If - Else If - Else branching in your scripts based on privilege sets. (You can't dynamically assign them; they have to be coded into the Create Account script step.)

              4) If you want to change privilege sets on an existing account, you'll have to delete it and recreate it (there's no script step to change a priv set).

               

              HTH

               

              Mike

              • 4. Re: Web Direct external authentication between multiple files
                grath

                Would Server External authentication be a better method to look into ? Would it solve my problem of identifying who entered the note?

                • 5. Re: Web Direct external authentication between multiple files
                  Mike_Mitchell

                  Yes, and yes.  

                   

                  External Authentication is always an excellent option, where you have it available. Get ( AccountName ) will report the user name inside the directory system you’re using (Open Directory or Active Directory) instead of the name of the external group, so you can get the info without having to create individual accounts for every user.

                   

                  HOWEVER …

                   

                  I can’t seem to find a reference in the WebDirect guide anywhere referencing EA. Nor on the forum, nor in the Security Guide. So I don’t know if it works for WebDirect. It didn’t with IWP. I haven’t tried it myself, so I can’t say for certain, but with so little information available, I wouldn’t hold out a lot of hope. Maybe someone with more experience in the area (Mike Beargie or Wim DeCorte, perhaps) can chime in.

                  • 6. Re: Web Direct external authentication between multiple files
                    grath

                    It probably needs to be done anyway. Web direct is lower on the totem pole than improving the security as a whole. Does the FMI Tech brief on server external authentication for FM9 still apply to 13?

                    • 7. Re: Web Direct external authentication between multiple files
                      Mike_Mitchell

                      It might. But you're probably better off going with the current version.

                       

                      https://fmdev.filemaker.com/docs/DOC-3721

                      • 8. Re: Web Direct external authentication between multiple files
                        grath

                        I can't seem to find anything on web direct EA either. I'll test it and share what I find out. Thanks so much for the help.