1
0
-1

I'm trying to use a Security Filter service to manage secure access to some of our forms. The aim is to only allow access from a specific referer - for use with internal forms.

I've used the provided code as a template, but cannot get the behaviour that I'm after.

I have used the default code for txn, and added some code to handle referer:

// Opening a new form
if (txn == null) {
return
}

String referer = request.getHeader("referer")
logger.info("referer = ${referer}")
if (!referer || !referer.contains("http://my-internal-url-link")) {
throw new RedirectException("../not-authorized.htm")
}

If I copy a form url and paste into the browser, the form opens - but I expect it to be restricted based on referere = null. But it seems that the txn is null.

If I remove the above code handling the txn, then I face problems because I cannot launch a form from TM using the 'direct' link.


How can I restrict form access based on referer, but still allow access for development and testing purposes?


Thanks

Mark

    CommentAdd your comment...

    1 answer

    1.  
      1
      0
      -1

      Hi Mark,

      "If I remove the above code handling the txn, then I face problems because I cannot launch a form from TM using the 'direct' link."

      Yes you have to copy the link and into a web page /portal that is on the "referer" site, then click on it from there.

      What sort of access is required for this form Anonymous or Authentication?

      There may be a better way to restrict Authenticated users base on their group.

      1. Mark Murray

        Hi Larry,

        thanks for the suggestion.

        However, I've done some more research and found that it is not a good approach to use 'referer' for security purposes. So, I will need to consider other options.

        This is part of a broader project to provide some of our forms in a secure manner. The target user group are our registered customers, who don't have accounts on TM, so the use of 'groups' is not directly applicable for those users.

        I'm investigating different scenarios and security options, and need to consider TM as well as some of our other systems, and what they can and can't do.

        I'll keep working through the options.


        Thanks

        Mark

      2. Larry Bunton

        Hi Mark,

        As far as I know the only place in the system where there is a legitimate use of referer is where we have a authenticated users connecting using SSO. Where we re validate the SSO token if the request  comes from a referer system, and there may be a change of user. Further HTTP requests have a referer of the TM server and these need to be allowed access using the same user session.

        This is an edge use case that allows an internal employee to do work on behalf of many clients (case management system).  

        cheers

        Larry

      CommentAdd your comment...