Connection Security

4D - Documentation   Français   English   German   4th Dimension 2004, Command Theme List   4th Dimension 2004, Command Alphabetical List   4th Dimension 2004, Constant Theme List   Back   Previous   Next

version 2004.2 (Modified)


The security of your 4D Web Server is based on the following elements:

The combination of the Web password management system and the On Web Authentication Database Method,

The definition of a Generic Web User,

The definition of a HTML Root folder by default,

The definition of the "Available through 4DACTION, 4DMETHOD and 4DSCRIPT" property for each project method of the database.

Note: The security of the connection itself can be managed through the SSL protocol. For more information, refer to section Using SSL Protocol.

Password Management System for Web Access


You can now define, in the Preferences dialog box, the access control system you want to apply to your Web server. To do this, in the Preferences dialog box, choose the Advanced page of the Web theme:

In the "Passwords" area, two options are available to you: Use Passwords and Include 4D Passwords. The second check box is only active if the first one has been selected.

Use Passwords: lets you manage access to the Web server using passwords. When a user connects to the server, a dialog box appears on their browser in order for them to enter their user name and password. These two values are then sent to the On Web Authentication Database Method along with the other connection parameters (IP address and port, URL...) so that you can process them.

Note: In this case, if the On Web Authentication Database Method doesn't exist, the connection is refused.

Include 4D Passwords: allows you to use, instead of or in addition to your own password system, 4D's database password system (as defined in 4D).

Notes:

- With the 4D Client Web server, keep in mind that all the sites published by the 4D Client machines will share the same table of users. Validation of users/passwords is carried out by the 4D Server application.

- Passwords entered by users are not encrypted in the HTTP requests (Basic mode).

Overview of the 4D Web Server's Access System

The system that filters connections to the 4D Web server depends on the combination of two parameters:

The Web password options in the Preferences dialog box,

The existence of the On Web Authentication Database Method.

Here are the different resulting systems:

No option is selected

Note: New databases are created with these parameters by default.

If the On Web Authentication Database Method exists, it is executed; besides $1 and $2, only the IP addresses of the browser and the server ($3 and $4) are returned, the user name and password ($5 and $6) are left empty. In this case, you can filter the connections according to the browser's IP address and/or the server's IP address.

If the On Web Authentication Database Method doesn't exist, the connection is automatically accepted.

The "Use Passwords" option is selected and the "Include 4D Passwords" option is not selected.

If the On Web Authentication Database Method exists, it is executed and all its parameters are given. You can therefore filter more precisely the connections according to the user name, password, and/or the browser's or Web server's IP address.

If the On Web Authentication Database Method doesn't exist, the connection is automatically refused and a message indicating that the Authentication method doesn't exist is sent to the browser.

Note: If the user name sent by the browser is an empty string and if the On Web Authentication Database Method doesn't exist, a password dialog box is sent to the browser.

The "Use Passwords" and "Include 4D Passwords" options are selected.

If the user name sent by the browser exists in the table of 4D users and the password is correct, the connection is accepted. If the password is incorrect, the connection is refused.

If the user name sent by the browser doesn't exist in 4D, two results are then possible:

- If the On Web Authentication Database Method exists, the parameters $1, $2, $3, $4, $5, and $6 are returned. You can therefore filter the connections according to the user name, password, and/or the browser's or Web server's IP address.

- If the On Web Authentication Database Method doesn't exist, the connection is refused.

4D Web server's access system is summarized in the following diagram:

A Security Note about Robots

Certain robots (query engines, spiders...) scroll through Web servers and static pages. If you want robots to be able to access your entire site, you can define which URLs they are not allowed to access.

To do so, put the ROBOTS.TXT file at the server's root. This file must be structured in the following manner:

User-Agent: <name>
Disallow: <URL> or <beginning of the URL>

For example:

User-Agent: *
Disallow: /4D
Disallow: /%23%23
Disallow: /GIFS/

"User-Agent: *" means that all robots are affected.

"Disallow: /4D" means that robots are not allowed to access URLs beginning with /4D.

"Disallow: /%23%23" means that robots are not allowed to access URLs beginning with /%23%23.

"Disallow: /GIFS/' means that robots are not allowed to access the /GIFS/ folder or its subfolders.

Another example:

User-Agent: *
Disallow: /

In this case, robots are not allowed to access the entire site.

Generic Web User


You can designate a user, previously defined in the 4D password table, as a "Generic Web User." In this case, each browser that connects to the database can use the access authorizations and restrictions associated with this generic user. You can therefore easily control the browser's access to the different parts of the database.

Note: Do not confuse this option, which allows you to restrict the browser's access to different parts of the database (tables, menus, etc.), with the Web server's connection control system, managed by the password system and the On Web Authentication Database Method.

To define a Generic Web User:

1. In the Design mode, create at least one user with the Users editor of the Tool Box.

You can associate a password with the user if you wish.

2. In the different 4D editors, authorize or restrict access to this user.

3. In the Preferences dialog, choose the Advanced page of the Web theme.

The "Web Passwords" area contains the Generic Web User drop-down list. By default, the Generic Web User is the Designer and the browsers have full access to the entire database.

4. Choose a user in the drop-down list and validate the dialog box.

All the Web browsers that are authorized to connect to the database will benefit from the access authorizations and restrictions associated with this Generic Web User (except when the "Include 4D Passwords" option has been selected and the user that connects does not exist in the 4D password table, see below).

Interaction with the Web Password System

The "Use Passwords" option does not influence how the Generic Web User operates. Whatever the state of this option, the access authorizations and restrictions associated with the "Generic Web User" will be applied to all the Web browsers that are authorized to connect to the database.

However, when the "Include 4D passwords" option is selected, two possible results can occur:

The user's name and password don't exist in 4D's password table. In this case, if the connection has been accepted by the On Web Authentication Database Method, the Generic Web User's access rights will be applied to the browser.

If the user's name and password exist in 4D's password table, the "Generic Web User" parameter is ignored. The user connects with his own access rights.

Defining a HTML Root Folder by Default


This option in the Preferences allows you to define the folder in which 4D will search for the static and semi-dynamic HTML pages, pictures, etc., to send to the browsers.

Moreover, the HTML root folder defines, on the Web server hard drive, the hierarchical level above which the files will not be accessible. This access restriction applies to URLs sent to Web browsers as well as to 4D's Web server commands, such as SEND HTML FILE. If a URL is sent to the database by a browser or if a 4D command tries to access a file located above the HTML root folder, an error is returned indicating that the file has not been found.

By default, 4D defines a HTML Root folder named WebFolder. If it does not already exist, the HTML root folder is physically created on disk at the moment the Web server is launched for the first time.

If you keep the default location, the root folder is created:

with 4th Dimension and 4D Server, at the same level as that of the database structure file.

with 4D Client, at the same level as that of the 4D Client .exe file (under Windows) or the software package (under Mac OS).

You can modify the default HTML root folder name and location in the Preferences dialog box (Web theme, Configuration page):

In the "Default HTML Root" entry area, enter the new access path of the folder that you wish to define.

The access path entered in this dialog box is relative: it is established from the folder containing the structure of the database (4th Dimension or 4D Server) or the folder containing the 4D Client application or software package (4D Client).

For multi-platform compatibility of your databases, the 4D Web server uses particular writing conventions to describe access paths. The syntax rules are as follows:

Folders are separated by a slash ("/")

The access path must not end with a slash ("/")

To "go up" one level in the folder hierarchy, enter ".." (two periods) before the folder name

The access path must not start with a slash ("/") (except if you want the HTML root folder to be the database or 4D Client folder, see below).

For example, if you want the HTML root folder to be the "Web" subfolder in the "4DDatabase" folder, enter 4DDatabase/Web.

If you want the HTML root folder to be the database or 4D Client folder, but for access to the folders above to be forbidden, enter "/" in the area. For a completely free access to the volumes, leave the "Default HTML Root" area empty.

WARNING: If you do not define a default HTML Root folder in the Preferences dialog box, the folder that contains the structure file of the database or the 4D Client application will be used. Be careful because in this case there are no access restrictions (users can access all the volumes).

Note: When the HTML root folder is modified in the Preferences dialog box, the cache is cleared so as to not store files whose access is restricted.

Database Preferences and SET HTML ROOT (contextual mode)

You can also modify the HTML root folder by using the SET HTML ROOT command (in contextual mode only). The modification therefore only applies to the current Web process for the worksession. The cache of the HTML pages is therefore cleared.

However, the SET HTML ROOT command takes into account the default HTML root folder when it is defined in the Preferences. If the folder defined in the Preferences dialog box is "WebPages/" and if you pass the instruction SET HTML ROOT("Folder"), the default HTML root folder becomes "WebPages/Folder/". Also in this case, the access restrictions are only maintained for the folders located above the "WebPages" folder.

Note: The SET HTML ROOT command has no effect when the Web server is in non-contextual mode.

Available through 4DACTION, 4DMETHOD and 4DSCRIPT


The special 4DACTION (non-contextual mode) and 4DMETHOD (contextual mode) URLs, as well as the 4DSCRIPT, 4DVAR and 4DHTMLVAR tags, allow you to trigger the execution of any project method of a4D database published on the Web. For example, the request http://www.server.com/4DACTION/Erase_All causes the execution of the Erase_All project method, if it exists.

This mechanism therefore presents a security risk for the database, in particular if an Internet user intentionally (or unintentionally) triggers a method not intended for execution via the Web. You can avoid this risk in three ways:

Restrict access to project methods using the 4D password system. Drawbacks: This system requires the use of 4D passwords and forbids any type of method execution (including using HTML tags).

Filter the methods called via the URLS using the On Web Authentication Database Method. Drawbacks: If the database includes a great number of methods, this system may by difficult to manage.

Use the Available through 4DACTION, 4DMETHOD and 4DSCRIPT option found in the Method properties dialog box:

This option is used to individually designate each project method that can be called using the special URLs, 4DACTION and 4DMETHOD, or the 4DSCRIPT, 4DVAR and 4DHTMLVAR tags. When it is not checked, the project method concerned cannot be executed using an HTTP request containing a special URL or tag. Conversely, it can be executed using other types of calls (formulas, other methods, etc.).

This option is unchecked by default for databases created with 4th Dimension starting with version 2003. Methods that can be executed using the 4DACTION or 4DMETHOD Web URLs or the 4DSCRIPT, 4DVAR and 4DHTMLVAR tags must be specifically indicated.

Conversely, for reasons of compatibility, this option is checked for existing databases (created with a version of 4D earlier than 2003): by default, all the project methods are accessible via Web requests.

In the Explorer, Project methods "available through 4DACTION, 4DMETHOD and 4DSCRIPT" are given a specific icon:

See Also

On Web Authentication Database Method, On Web Connection Database Method, Using SSL Protocol.


4D - Documentation   Français   English   German   4th Dimension 2004, Command Theme List   4th Dimension 2004, Command Alphabetical List   4th Dimension 2004, Constant Theme List   Back   Previous   Next