4D v13.4Connection Security |
||
|
4D v13.4
Connection Security
Connection Security
The security of your 4D Web Server is based on the following elements:
Note: The security of the connection itself can be managed through the SSL protocol. For more information, refer to the Using SSL Protocol section. In the Database Settings, you can set the access control system that you want to apply to your Web server. Two authentication modes are provided: BASIC mode and DIGEST mode. The authentication mode concerns the way the information concerning the user name and password are collected and processed.
For the user, the use of either authentication mode is transparent. Notes:
You can now define, in the Database Settings dialog box, the access control system you want to apply to your Web server. To do this, choose the Options (I) page of the Web theme: In the "Passwords" area, three options are available to you:
Notes:
Here are the different resulting systems: The “Passwords with BASIC protocol” option is selected and the “Include 4D Passwords” option is not selected.
Note: If the user name sent by the browser is an empty string and if the On Web Authentication Database Method doesn’t exist, a password dialog box is sent to the browser. The “Passwords with BASIC protocol” and “Include 4D Passwords” options are selected.
Unlike BASIC mode, the DIGEST mode is not compatible with standard 4D passwords: it is not possible to use 4D passwords as Web IDs. The “Include 4D passwords” option is dimmed when this mode is selected. The IDs for Web users must be managed in a customized manner (for example, via a table). When the DIGEST mode is activated, the $6 parameter (password) is always returned empty in the On Web Authentication Database Method. In fact, when using this mode, this information does not pass by the network as clear text (unencrypted). It is therefore imperative in this case to evaluate connection requests using the WEB Validate digest command. The operation of the 4D Web server's access system is summarized in the following diagram: Certain robots (query engines, spiders...) scroll through Web servers and static pages. If you want robots to be able to access your entire site, you can define which URLs they are not allowed to access. User-Agent: <name> For example: User-Agent: * “User-Agent: *” means that all robots are affected. User-Agent: * In this case, robots are not allowed to access the entire site. You can designate a user, previously defined in the 4D password table, as a “Generic Web User.” In this case, each browser that connects to the database can use the access authorizations and restrictions associated with this generic user. You can therefore easily control the browser’s access to the different parts of the database. Note: Do not confuse this option, which allows you to restrict the browser’s access to different parts of the application (methods, forms, etc.), with the Web server’s connection control system, managed by the password system and the On Web Authentication Database Method. To define a Generic Web User:
All the Web browsers that are authorized to connect to the database will benefit from the access authorizations and restrictions associated with this Generic Web User (except when the BASIC mode and the “Include 4D Passwords” option are checked and the user that connects does not exist in the 4D password table, see below). The "Passwords with BASIC protocol" option does not influence how the Generic Web User operates. Whatever the state of this option, the access authorizations and restrictions associated with the “Generic Web User” will be applied to all the Web browsers that are authorized to connect to the database. However, when the "Include 4D passwords" option is selected, two possible results can occur:
This option in the Database Settings allows you to define the folder in which 4D will search for the static and semi-dynamic HTML pages, pictures, etc., to send to the browsers. Moreover, the HTML root folder defines, on the Web server hard drive, the hierarchical level above which the files will not be accessible. This access restriction applies to URLs sent to Web browsers as well as to 4D’s Web server commands, such as WEB SEND FILE. If a URL is sent to the database by a browser or if a 4D command tries to access a file located above the HTML root folder, an error is returned indicating that the file has not been found. By default, 4D defines a HTML Root folder named WebFolder. If it does not already exist, the HTML root folder is physically created on disk at the moment the Web server is launched for the first time.
You can modify the default HTML root folder name and location in the Database Settings dialog box (Web theme, Configuration page): In the “Default HTML Root” entry area, enter the new access path of the folder that you wish to define. The access path entered in this dialog box is relative: it is established from the folder containing the structure of the database (4D in local mode or 4D Server) or the folder containing the 4D application or software package (4D in remote mode). For multi-platform compatibility of your databases, the 4D Web server uses particular writing conventions to describe access paths. The syntax rules are as follows:
For example, if you want the HTML root folder to be the “Web” subfolder in the “4DDatabase” folder, enter 4DDatabase/Web. If you want the HTML root folder to be the database or 4D remote folder, but for access to the folders above to be forbidden, enter “/” in the area. For a completely free access to the volumes, leave the “Default HTML Root” area empty. WARNING: If you do not define a default HTML Root folder in the Preferences dialog box, the folder that contains the structure file of the database or the 4D application will be used. Be careful because in this case there are no access restrictions (users can access all the volumes). Notes:
The special 4DACTION URL and the 4DSCRIPT, 4DTEXT, 4DHTML (as well as the former 4DVAR and 4DHTMLVAR) tags, allow you to trigger the execution of any project method of a 4D database published on the Web. For example, the request http://www.server.com/4DACTION/Erase_All causes the execution of the Erase_All project method, if it exists.
This option is used to individually designate each project method that can be called using the special URL, 4DACTION, or the 4DSCRIPT, 4DTEXT and 4DHTML (as well as 4DVAR and 4DHTMLVAR) tags. When it is not checked, the project method concerned cannot be executed using an HTTP request containing a special URL or tag. Conversely, it can be executed using other types of calls (formulas, other methods, etc.). This option is unchecked by default for databases created. Methods that can be executed using the 4DACTION Web URL or the tags must be specifically indicated. In the Explorer, Project methods with this property are given a specific icon: This option on the "Web/Configuration" page of the Database SEttings lets you control support of requests containing /4DSYNC URLs. These URLs are used for synchronizing data through HTTP ((for more information about this mechanism, refer to URL 4DSYNC/). This option enables or disables specific processing of requests containing /4DSYNC:
By default:
The scope of this option is local to the application and the Web server must be restarted to take it into account. |
PROPERTIES
Product: 4D SEE ALSO
On Web Authentication Database Method |