m-Power Applications and Security
For some users, the need to implement Sign-on security is relatively low. However, at some point in time, you may need to activate the mrc Built in Security. This allows you to:
- Validate a User Against their System User Profile or a Database Table
- Implement a menuing System that shows users only applications they have access to
- Row Level Security (Limiting which rows of data a user can see at runtime)
- Capture the username for auditing purposes
- Create a fully customizable Sign on page
Each time an application is run, it will check to see if security exists. If it does, the user will be brought to a sign-on page. If no security exists, it will take the user directly to their application.
Toggling Security for a Data Dictionary
To implement your security, you will need to first navigate to "Admin Menu" -> "Application Menu and Security." On this screen, click the "Enable Dictionary Security" button.
By default in Tomcat 7, Tomcat's security will prevent any developer without access from enabling/disabling security. The default username and password are "mrcuser", though this can be changed as desired.
Note: mrc highly recommends changing this information. You can change the user and password information by modifying the following file: /m-power/tomcat/conf/tomcat-users.xml. Simply change references of "mrcuser", save the file and restart Tomcat.
Note: Tomcat 6 users who wish to implement this security for enabling/disabling security will need to modify the web.xml file found in m-power\mrcwebgui\WEB-INF to include the following lines:
<realm-name>Tomcat Manager Application</realm-name>
<web-resource-name>HTML Manager interface </web-resource-name>
The security constraint section will need special consideration as it can only exist once within the web.xml file. If it already exists, simply copy the contained lines into that section. Save the web.xml file and restart Tomcat.
That’s it! Your users will now have to sign-on when they wish to access applications within this Data Dictionary.
Configuring your Security Options
Click "Admin Menu", then "Edit Dictionary Files", and finally click the "Sign on Configuration" button. A popup window will open like in the screenshot below:
Dictionary Security status: Developers can quickly tell if dictionary security is currently enabled by looking at the top row of this window.
Validation Type: Use this drop-down to select how you would like your sign-on security to validate your end-user's credentials. Valid types include:
- Validate by database table
- Validate by database user
- Validate by system profile on remote server
- Validate by Active Directory
- Validate by Single Sign On
Data Source: This option is useful if you need to point your security credentials at a secondary database that is configured in the mrc Spring Context file.
Validate by Table: If you choose to validate by table, please specify the location of the schema & table, as well as the column names of where the user and password can be found.
Max Signon Attempts: Controls the number of times a user can guess wrong. Once this number has been reached, they will be redirected to the URL listed in the "Signon Fail Redirect" parameter.
Signon Screen: If you wish to use your own customized signon screen, rather than the one provided to you with m-Power, please change this parameter.
After Signoff/Signon Redirect: Once your user clicks the signoff button or signs on (from the DICTIONARY.Login) page, they will be automatically redirected to the URLs listed here.
Signon Fail Redirect: Once your user has exceeded the tries to sign in as defined in the Max Signon Attempts value, they will be redirected to the URL listed here.
Opt Out Applications: Click this tab if you wish to designate any applications within this data dictionary that should not be secured. If an application is listed here, users will not be required to sign-on when accessing these pages.
mrc Sign-on Screen
mrc Security also comes with a file, mrcSignon2.html, that serves as a Sign-on screen that is fully paintable. To edit it, click "Admin Menu", then click "Edit Dictionary Files" button, then click the "Sign on Screen" button.
Note: You will notice that rather than calling the standard header and stylesheet, the Sign-on Screen uses embedded headers, footers, and styles. This allows you to modify your Sign-on screen to look and feel much different than your regular applications.
Note: The mrcSignon screen is not available in the WYSIWYG m-Painter mode. Rather, it is available in standard Text-Editing mode.
When completed, please click the "Save and Deploy" icon.
Note: Changes will not take effect until the next time Tomcat has been restarted.
Active Directory Validation – Additional Configuration
In order to secure via LDAP, there are a few additional configurations that must be made in your data dictionary.
- From "Admin Menu", choose "Edit Dictionary Files" and then "Datasource Configuration". This will open the mrc-spring-context file which contains database connection information.
- Find the active directory connection.
Note:If you are unable to find it, please copy and paste the below in "Text Mode":
<bean abstract="false" autowire="default" class="com.mrc.dbo.EncryptionDataSource" dependency-check="default" id="active_directory" lazy-init="true" singleton="true">
<property name="url"> <value>ldap://XX.XX.XXX.XXX:389;domain=MYDOMAIN.com;search_base=DC=MYDOMAIN,DC=com;</value> </property>
<property name="driverClassName"> <value>com.mysql.jdbc.Driver</value> </property>
- Replace XX.XX.XXX.XXX with your Active Directory server address.
- Replace MYDOMAIN.com with you Active Directory domain.
- Add the necessary domain content values (DC=) to the search_base parameter. You may add as many domain content values as is necessary for your system (separated by commas).
- Press Accept.
- From the "Edit Dictionary Files" screen, select "Sign On Configuration".
- Set the Data Source value to "active_directory" on this window.
- Press Accept and restart Tomcat to load in your changes.
You are now configured to validate your users against Active Directory!
Single Sign On Validation
m-Power can also be configured to work with an external validation program, using a technique called Single Sign On. In order to accomplish this, there are a few additional steps that are required first. Please visit this page to see those additional steps.
Other Important things to Remember
Once a user logs in, they will not have to sign in again until:
- They close their browser
- Tomcat is restarted
- They have exceeded their timeout value
- Tomcat is loaded (often because a developer compiles or saves changes in m-Painter)
Particularly because of the last point listed above, mrc strongly recommends moving development and production into two separate environments. Not only will this provide a much more stable environment for your end users, it will give your developers piece of mind knowing that they are not changing applications that are currently in use. More information regarding this topic can be found here.
Also, any changes made to mrcSignon2.xml or mrcSignon2.html after they have been loaded into Tomcat's memory will require Tomcat to be restarted before those changes will go into effect.