Web Security Configuration

IN THIS PAGE

Description

A list of web security configuration settings in Alpha Anywhere.

Security Policy

 Security active

If security is not activated, all objects and actions will be available to all users without restriction. If security is active, the security system is based on membership in a group.

 Password required

Select to require a password as well as a User ID for login. A User ID is always required if security is activate.

 Redirect page - login

This is the name of the page to go to if login is required to access a selected page. This would normally be the login page, or a menu or index page.

 Redirect page - insufficient permission

If a logged in user does not have permission to access a selected page, they will be redirected to this page. If this page is not specified, they will be redirected to the page specified for login.

 Use Active Directory

Use Active Directory property

Login Options

 Login expiration policy

Policy to set a maximum login time period. All options other than 'Expires when current session expires' require the use of a cookie. If the user does not have cookies enabled, they will be logged out when the session expires.

 Login expiration time

Allows setting an expiration time for a login. A user must login again when the login expires. The default expiration time is 1 day.

 Show Remember me option (when using login component)

This option will show a "Remember Me" checkbox on the login component. The user can select to remain logged in for the full login expiration period by checking the "Remember me" control on the component. The user login will expire when the session expires if the user doesn't check the "Remember me" control on the component.

 Keep login for full expiration period

A user will remain logged in for the full login expiration period when this option is selected, or until they manually logout using a logout option. This will be enforced for all login methods.

 Lockout after failed attempts

The number of times a user can try to login unsuccesfully before they are locked out of the application. Set to 0 to allow unlimited attempts.

 Locked out action

The action that should be taken if a user is locked out of the system. 'Wait for period of time' will require the user to wait a specified time until they are allowed to login with same User ID. 'Redirect to another page' will send them to another page. 'Lockout user until reset by administrator' will lock out the User ID until lock is manually released.

 Locked out message

Message to show the user during login to indicate they are locked out of the system.

 Locked out wait time

Locked out wait time property

 Locked out redirect page

This is the page to go to if the user is locked out after the defined number of attempts. This page may have some developer specified action or notice.

 Login activity file

When enabled, will save all login activity to a text file in the specified folder

 Login activity log save to

Folder where activity log file will be saved. Select 'User defined function' to enter your own code to process log activity data.

 Login activity user defined function

Specific values are available to a user defined function. These values can be used to save login activity data to a file or table.

 Login activity include failed

When enabled, all failed attempts to log in will be recorded in the login activity log. If not checked, only successful logins are recorded in the log file.

 Login activity include logout

When enabled, any user logged out by the 'a5ws_logoutuser()' function will be recorded in the login activity log. No log entry will be created if no one is logged on when the log out function is called.

 Login redirect option

Login redirect only applies when a login component is used for login. This determines the action to take after a successful login. Select 'Current page' if the user should stay on the page containing the login component. Select 'Same page for all logins' to send all users to the same page after login. Select 'Page assigned by user' to allow setting a specific page in the user profile.

 Redirect page after login (when using login component)

Login redirect only applies when a login component is used for login (as opposed to a TabbedUI or UX component with integrated Login). This is the name of the page to go to after a successful login. If the redirect option is 'Page assigned by user', this page will be used if a redirect page is not assigned in the current user profile.

 Ignore return to page after login

This option is only used when a login component is used for login (as opposed to a TabbedUI or UX component with integrated Login). When a person attempts to open a page or component for which they do not have permission, they are redirected to the login page. The default action is to always redirect to the page specified by the 'Login redirect option' and the 'Redirect page after login (when using login component)'. Uncheck this to return to the previous page. This option is automatically checked if component security is active.

User ID Options

 User ID configuration

A User ID can be configured to allow an email address or a field value that meets specified validation rules.

 User ID error message

Message to display if the User ID is configured as an Email address and the entered value is not a valid Email address. This message may be replaced with a message defined in a Login component.

 User ID validation rules

Specify rules to test if the value for User ID is valid.

Password Options

 Password encryption

Allows password data to be encrypted prior to saving in the user table.

 Password encryption key

Enter the key to use to encrypt all password. A key is required if encryption is selected. Key must be a minimum of 8 characters and a maximum of 64 characters in length. The key can use characters, numbers, and special characters.

 Password use legacy encryption

Select to use the legacy encryption used by Alpha Five versions before Alpha Anywhere for new passwords.

 Allow password change at login

This option is only used by the login component. Allow the user to change their password at login when using the login component.

 Password validation rules

Specify rules to test if the value for the password is valid.

 Password expires?

Allows setting an expiration time for a password. A new password must be entered when the current password expires.

 Password expiration time

The period of time a password will be active before it automatically expires. The expiration is re-calculated when a new password is entered. The default expiration time is 1 year.

 Password change on first use

Require a user to immediately change their password at login after it has been reset. The login component must allow the user to change their password at login. NOTE: Some method to change the user password must be provided if using any login method other than the login component.

 Password restricted re-use

The number of old passwords that are saved in a restricted list and can not be re-used. A value of 0 will allow any password to be re-used without restriction. A value of 1 will only require that a new password does not match the current password

 Password restricted re-use message

Message to show if the user entered a restricted password. This message may be replaced during login with a message defined in a Login component.

Lost Data Recovery Options

 Allow user ID recovery

Allow the user to recover their User ID if they have lost it.

 Data required for recovery

The information that must be entered to identify the user to recover the User ID

 Lost password action

Allow the user to recover or reset a lost password. If 'reset' is selected, the system will automatically generate a new random password that meets the password validation rules.

 Data required for password reset or recovery

The information that must be entered to identify the user to recover or reset the password.

 Lost data recovery method

Method that is used to recover a lost user id or password. If 'Send Email to user' is selected and the Host computer is not configured to send Email, the alternative method will be used. 'Create Email link on page' will show an email link on the page that will allow the user to send a pre-configured email request for lost data to a defined address.

 Lost data recovery alternative method

Method that will be used to recover a lost user id or password if 'Send Email to user' is selected and the Host computer is not configured to send Email. 'Create Email link on page' will show an email link on the page that will allow the user to send a pre-configured email request for lost data to a defined address.

 Email send method

Specify if the e-mail should be sent using the built-in e-mail methods, or using a 3rd party e-mail service. At this time only the 'Mandrill' e-mail service is supported.

 Email profile for sending emails

Enter the name of an email profile that is configured on the application server in the published location. If no profile is specified, the send email process will attempt to use the current active email profile on the server. If the profile specified is invalid or not found on the server, the alternate recovery method will be used.

 Mandrill key

Specify your Mandrill key. (You need to get this key from Mandrill). You can enter , or leave this blank to use the setting for the Mandrill key stored in Web Poject Properties.

 Email SMTP server

Specify the outgoing SMTP server address for a valid email account to use to send the emails. The address would be similar to 'smpt.my_isp.net'.

 Email account user name

Specify the 'User Name' for the email account to use to send emails.

 Email account password

Specify the password for the email account to use to send emails.

 Email SMPT Port

TIP: With SSL, or TLS enabled, if you are using Gmail the port for the internal email methods is 465.

 Email SSL option

Specify the SSL option. If not using SSL, leave blank. Example settings: SSL, TLS.

 Email From address

Specify e-mail address of the sender. This is required.

 Email From alias

Specify a friendly name for the 'from' name. This is optional.

 Send user ID with password?

Should the lost data recovery Email being sent to the user include both their User ID and their Password in the same message? If not selected, 2 emails will be sent if the recovery process was used to find their User ID

 Configure email to send to user

This is the Email configuration to create an email to send to the listed Email address for the user. The Host computer MUST be configured to send email. The email will include the User ID and Password in the same email and will be used if the user is requesting a lost User ID and a lost Password

 Configure email to send to user with user ID

This is the Email configuration to create an email to send to the listed Email address for the user. The Host computer MUST be configured to send email. The email will only contain the User ID and will be used if the user is requesting a lost User ID

 Configure email to send to user with password

This is the Email configuration to create an email to send to the listed Email adress for the user. The Host computer MUST be configured to send email. The email will only contain only the Password and will be used if the user is only requesting a lost Password

 Configure email request from user

This is the Email configuration that will create an email request from the user. The user can send an email to the defined address to request login information.

 Security questions

This is a list of 'Security' questions that can be used to verify a user. The user can select a question and supply an answer as a means of identification

Customize Options

 Default security group

This option will allow setting a default security group or groups for a new user record. This default value would only be used for a new user if no groups were included in the data submitted for the new user. The default group will only be added to new users added by a process running on the application server.

 Enable external user identifier field

This option is no longer recommended. The security 'userid' should be stored in an external table if linking is required. User records may also exist in tables outside of the security system. This option will enable a special field named 'ulink'. The value entered in the 'ulink' field can identify a related user record in the external table.

 Session variable for identifier field

(Optional) Enter the name of a session variable to contain the value from the 'ulink' field. If the security framework is on, the session variable will always exist for every page. The variable value will be blank if no one is logged on, or contain a 'ulink' value from the logged in user record, if a value exists for that user.

 Prompt to display for identifier field

Enter the prompt to display on the Users and Groups form for the 'ulink' field. The text can describe the source of the value.

 User verification field values required

This option is only available when using the login component. You have enabled the feature that allows a user to recover lost login information. This option will determine if values in the User Verification Fields MUST be entered, or if they are OPTIONAL.

 User recovery email invalid message

Message to show if the email entered to identify a user for data recovery is not a valid email address

 User ID not unique error message

Used ID values must be unique. This message will display if the User ID entered already exists in the user table. This message is only used in a web component.

 User file - required data missing message

This message is displayed if required data is missing when saving a new or changed user record. This message is only used in a web component.

 Password - confirm password doesn't match message

This message is only displayed if an optional 'confirm_password' value doesn't match the entered password. This message is only used in a web component.

 Enable component security for 'virtual pages'

Some Ajax actions open grids and reports on virtual pages. The default security for virtual pages is 'Always Allowed'. Select this option to enable security at the component level. When selected, components and reports on virtual pages are 'Always Denied' by default and must be have permissions set. Grids on pages use the page permission.

 Enforce security at component level for AJAX components

AJAX enabled components on pages use the page permission. Checking this option will force all Ajax actions to use the component security permissions defined in the Web Security instead of the page permission. All components opened by Javascript or by virtual pages always use the component security permissions if component security is enabled.

 Ask browser to not cache requests requiring login

Check this option to ask a browser to turn off caching for any item that requires login. This ONLY applies to requests for items that require login to view. This will normally cause the browser to make a new request for a page if the browser 'back' or 'forward' buttons are used. Caching will still be permitted if security is off, or the page or component requested is always allowed.

 Cache lifetime (in seconds)

The security settings are cached on the server for improved speed and are not automatically updated when the new settings are published. The cache lifetime (in seconds) determines how often the server will check for updates. A value of 300 will allow the server to check for new published settings every 5 minutes. Set the value to 0 to never check for updates.