Web Security Configuration
A list of web security configuration settings in Alpha Anywhere.
If security is not activated, all objects and actions will be available to all users without restriction. If security is active, the security system is based on membership in a group.
Select to require a password as well as a User ID for login. A User ID is always required if security is activate.
This is the name of the page to go to if login is required to access a selected page. This would normally be the login page, or a menu or index page.
If a logged in user does not have permission to access a selected page, they will be redirected to this page. If this page is not specified, they will be redirected to the page specified for login.
Use Active Directory property
Policy to set a maximum login time period. All options other than 'Expires when current session expires' require the use of a cookie. If the user does not have cookies enabled, they will be logged out when the session expires.
Allows setting an expiration time for a login. A user must login again when the login expires. The default expiration time is 1 day.
This option will show a "Remember Me" checkbox on the login component. The user can select to remain logged in for the full login expiration period by checking the "Remember me" control on the component. The user login will expire when the session expires if the user doesn't check the "Remember me" control on the component.
A user will remain logged in for the full login expiration period when this option is selected, or until they manually logout using a logout option. This will be enforced for all login methods.
The number of times a user can try to login unsuccesfully before they are locked out of the application. Set to 0 to allow unlimited attempts.
The action that should be taken if a user is locked out of the system. 'Wait for period of time' will require the user to wait a specified time until they are allowed to login with same User ID. 'Redirect to another page' will send them to another page. 'Lockout user until reset by administrator' will lock out the User ID until lock is manually released.
Message to show the user during login to indicate they are locked out of the system.
Locked out wait time property
This is the page to go to if the user is locked out after the defined number of attempts. This page may have some developer specified action or notice.
When enabled, will save all login activity to a text file in the specified folder
Folder where activity log file will be saved. Select 'User defined function' to enter your own code to process log activity data.
Specific values are available to a user defined function. These values can be used to save login activity data to a file or table.
When enabled, all failed attempts to log in will be recorded in the login activity log. If not checked, only successful logins are recorded in the log file.
When enabled, any user logged out by the 'a5ws_logoutuser()' function will be recorded in the login activity log. No log entry will be created if no one is logged on when the log out function is called.
Login redirect only applies when a login component is used for login. This determines the action to take after a successful login. Select 'Current page' if the user should stay on the page containing the login component. Select 'Same page for all logins' to send all users to the same page after login. Select 'Page assigned by user' to allow setting a specific page in the user profile.
Login redirect only applies when a login component is used for login (as opposed to a TabbedUI or UX component with integrated Login). This is the name of the page to go to after a successful login. If the redirect option is 'Page assigned by user', this page will be used if a redirect page is not assigned in the current user profile.
This option is only used when a login component is used for login (as opposed to a TabbedUI or UX component with integrated Login). When a person attempts to open a page or component for which they do not have permission, they are redirected to the login page. The default action is to always redirect to the page specified by the 'Login redirect option' and the 'Redirect page after login (when using login component)'. Uncheck this to return to the previous page. This option is automatically checked if component security is active.
A User ID can be configured to allow an email address or a field value that meets specified validation rules.
Message to display if the User ID is configured as an Email address and the entered value is not a valid Email address. This message may be replaced with a message defined in a Login component.
Specify rules to test if the value for User ID is valid.
Allows password data to be encrypted prior to saving in the user table.
Enter the key to use to encrypt all password. A key is required if encryption is selected. Key must be a minimum of 8 characters and a maximum of 64 characters in length. The key can use characters, numbers, and special characters.
Select to use the legacy encryption used by Alpha Five versions before Alpha Anywhere for new passwords.
This option is only used by the login component. Allow the user to change their password at login when using the login component.
Specify rules to test if the value for the password is valid.
Allows setting an expiration time for a password. A new password must be entered when the current password expires.
The period of time a password will be active before it automatically expires. The expiration is re-calculated when a new password is entered. The default expiration time is 1 year.
Require a user to immediately change their password at login after it has been reset. The login component must allow the user to change their password at login. NOTE: Some method to change the user password must be provided if using any login method other than the login component.
The number of old passwords that are saved in a restricted list and can not be re-used. A value of 0 will allow any password to be re-used without restriction. A value of 1 will only require that a new password does not match the current password
Message to show if the user entered a restricted password. This message may be replaced during login with a message defined in a Login component.
Allow the user to recover their User ID if they have lost it.
The information that must be entered to identify the user to recover the User ID
Allow the user to recover or reset a lost password. If 'reset' is selected, the system will automatically generate a new random password that meets the password validation rules.
The information that must be entered to identify the user to recover or reset the password.
Method that is used to recover a lost user id or password. If 'Send Email to user' is selected and the Host computer is not configured to send Email, the alternative method will be used. 'Create Email link on page' will show an email link on the page that will allow the user to send a pre-configured email request for lost data to a defined address.
Method that will be used to recover a lost user id or password if 'Send Email to user' is selected and the Host computer is not configured to send Email. 'Create Email link on page' will show an email link on the page that will allow the user to send a pre-configured email request for lost data to a defined address.
Specify if the e-mail should be sent using the built-in e-mail methods, or using a 3rd party e-mail service. At this time only the 'Mandrill' e-mail service is supported.
Enter the name of an email profile that is configured on the application server in the published location. If no profile is specified, the send email process will attempt to use the current active email profile on the server. If the profile specified is invalid or not found on the server, the alternate recovery method will be used.
Specify your Mandrill key. (You need to get this key from Mandrill). You can enter , or leave this blank to use the setting for the Mandrill key stored in Web Poject Properties.
Specify the outgoing SMTP server address for a valid email account to use to send the emails. The address would be similar to 'smpt.my_isp.net'.
Specify the 'User Name' for the email account to use to send emails.
Specify the password for the email account to use to send emails.
TIP: With SSL, or TLS enabled, if you are using Gmail the port for the internal email methods is 465.
Specify the SSL option. If not using SSL, leave blank. Example settings: SSL, TLS.
Specify e-mail address of the sender. This is required.
Specify a friendly name for the 'from' name. This is optional.
Should the lost data recovery Email being sent to the user include both their User ID and their Password in the same message? If not selected, 2 emails will be sent if the recovery process was used to find their User ID
This is the Email configuration to create an email to send to the listed Email address for the user. The Host computer MUST be configured to send email. The email will include the User ID and Password in the same email and will be used if the user is requesting a lost User ID and a lost Password
This is the Email configuration to create an email to send to the listed Email address for the user. The Host computer MUST be configured to send email. The email will only contain the User ID and will be used if the user is requesting a lost User ID
This is the Email configuration to create an email to send to the listed Email adress for the user. The Host computer MUST be configured to send email. The email will only contain only the Password and will be used if the user is only requesting a lost Password
This is the Email configuration that will create an email request from the user. The user can send an email to the defined address to request login information.
This is a list of 'Security' questions that can be used to verify a user. The user can select a question and supply an answer as a means of identification
This option will allow setting a default security group or groups for a new user record. This default value would only be used for a new user if no groups were included in the data submitted for the new user. The default group will only be added to new users added by a process running on the application server.
This option is no longer recommended. The security 'userid' should be stored in an external table if linking is required. User records may also exist in tables outside of the security system. This option will enable a special field named 'ulink'. The value entered in the 'ulink' field can identify a related user record in the external table.
(Optional) Enter the name of a session variable to contain the value from the 'ulink' field. If the security framework is on, the session variable will always exist for every page. The variable value will be blank if no one is logged on, or contain a 'ulink' value from the logged in user record, if a value exists for that user.
Enter the prompt to display on the Users and Groups form for the 'ulink' field. The text can describe the source of the value.
This option is only available when using the login component. You have enabled the feature that allows a user to recover lost login information. This option will determine if values in the User Verification Fields MUST be entered, or if they are OPTIONAL.
Message to show if the email entered to identify a user for data recovery is not a valid email address
Used ID values must be unique. This message will display if the User ID entered already exists in the user table. This message is only used in a web component.
This message is displayed if required data is missing when saving a new or changed user record. This message is only used in a web component.
This message is only displayed if an optional 'confirm_password' value doesn't match the entered password. This message is only used in a web component.
Some Ajax actions open grids and reports on virtual pages. The default security for virtual pages is 'Always Allowed'. Select this option to enable security at the component level. When selected, components and reports on virtual pages are 'Always Denied' by default and must be have permissions set. Grids on pages use the page permission.
Check this option to ask a browser to turn off caching for any item that requires login. This ONLY applies to requests for items that require login to view. This will normally cause the browser to make a new request for a page if the browser 'back' or 'forward' buttons are used. Caching will still be permitted if security is off, or the page or component requested is always allowed.
The security settings are cached on the server for improved speed and are not automatically updated when the new settings are published. The cache lifetime (in seconds) determines how often the server will check for updates. A value of 300 will allow the server to check for new published settings every 5 minutes. Set the value to 0 to never check for updates.