Security configurationRestricting access to specific Transact pages

Restricting access to specific Transact pages

You can authorize access to these URLs using group/role names defined in Tomcat, LDAP and Microsoft Active Directory. The web.xml file can be found here: *{EPHESOFT_ROOT_DIR}\Application\WEB_INF\web.xml. By default, all URLs authorized by all groups by using "*" in the auto-constraint node: 

<auth-constraint>
   <role-name>*</role-name>
</auth-constraint>

To authorize a specific security role and LDAP container, modify the role-name node.

Examples of restricting access to pages

Allow the admin role to access BatchInstanceManagement.html. 
<security-constraint>
   <web-resource-collection>
      <web-resource-name>batch instance management</web-resource-name>
      <url-pattern>/BatchInstanceManagement.html</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <role-name>admin</role-name>
   </auth-constraint>
</security-constraint>

The admin role is specified in the <auth-constraint> element.

Allow multiple roles (role2 and admin) to access BatchInstanceManagement.html. 
<security-constraint>
   <web-resource-collection>
      <web-resource-name>batch instance management</web-resource-name>
      <url-pattern>/BatchInstanceManagement.html</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
   </web-resource-collection>
      <auth-constraint>
         <role-name>role2</role-name>
         <role-name>admin</role-name>
      </auth-constraint>
</security-constraint>

Here, the <security-role> element does not need to be modified. It can remain as it is with a single entry (*) allowing all groups. However, it may give warnings if the security-role tag is not mapped to groups individually. These warnings can be eliminated by providing mapping for roles in <security-role> tag. 

<security-role>
   <role-name>*</role-name>
</security-role>
Control access through Active Directory

If you want to grant access to BatchClassManagement.html to only the Active Directory group Distinguished Names from jexplorer: 

CN=GSTIRAAdmin,OU=Identifi,DC=ts2000,DC=com
CN=GSTIRAPowerUsers,OU=Identifi,DC=ts2000,DC=com
CN=GSTIRAUsers,OU=Identifi,DC=ts2000,DC=com

The <security-constraint> element is as follows: 

<security-constraint>
   <web-resource-collection>
      <web-resource-name>batch instance management</web-resource-name>
      <url-pattern>/BatchInstanceManagement.html</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <role-name>GSTIRAAdmin</role-name>
      <role-name>GSTIRAPowerUsers</role-name>
      <role-name>GSTIRAUsers</role-name>
   </auth-constraint>
</security-constraint>