The Web application can be protected so only authorized users can access it (system of users and of permissions) and also the Web server and HTTP protocol can be protected (encryption, security settings for message headers, etc.).
Setup and managemnt of users and user groups
The criteria are set for all PROMOTIC users (local and network) that have to be met on log-on by the user so as he would be accepted by the system. The most important are the login name and password. The authentication of the user's identity is crucial for the following users access limitation to critical parts of the application by creating permissions at individual parts of the application or by scripts. In order to limit the access of each user into the critical parts of the application the user groups are used (also the user priority can be used for this purpose).
Basic or
Digest authentication can be used for PROMOTIC users,
NTLM authentication can be used for
Windows users in domain. Authentication selection can be done in the "
Extended configuration" configurator.
Caution! With the
Basic authentication, the names and passwords in the HTTP request headers encoded in
Base64 are unencrypted and can be detected. Therefore it is recommended to use the encrypted protocol
HTTPS that eliminates the risk significantly. Another option is, using the secure
Digest authentication, so the password cannot be detected. In such case only the
Hash (i.e.
Digest) of the password is transmitted. The highest security level is provided by
NTLM authentication of
Windows users in domain, where the authentication is done by the browser against the domain. This method is commonly used in enterprise intranet networks.
See
Users,
Permissions,
PmUser,
Users and permissions.
HTTPS - secured HTTP protocol
Setting of the "
https service" configurator will enable encrypted connection between the Web browser and the Web server, making it secure against tapping and data forgery.
HTTPS (
Hypertext Transfer Protocol Secure) uses the
HTTP protocol and the transmitted data is encrypted by
SSL/TLS. The basic component of security provided by
SSL/TLS protocols is based on
digital certificates.
See
HTTPS - secured HTTP protocol.
Setting the headers in HTTP response of the Web server
There are the headers of HTTP requests (
RequestHeaders) that are set by Web browser. There are also headers of HTTP response (
ResponseHeaders) that are set by PROMOTIC Web server. The headers can be used to significantly affect the security level and browser behavior using HTTP communication.
See
Extended configuration.