You are viewing limited content. For full access, please sign in.

Question

Question

Web Integration and Security Question

Web Client WebLink Integrations
Updated November 18, 2013
asked on November 14, 2013

Good Morning -

 

I am working with a customer's accounting software package to make calls from their Interface to Laserfiche.  This search will take a number they provide, and search an LF Field for that number.

 

I think we are good with the search syntax from the Weblink/WebAccess 8.3 help files.

 

My question is this:

 

Once you have composed the URL, what is there to stop the user from replacing

our search value with a search value of their own and using that to to a back door search of the repository?

 

I am sure you have thought of this, and I was just wondering how this was managed.

 

0 0

Answer

APPROVED ANSWER
replied on November 14, 2013

Hi Bill-

 

It sounds like you're sending a field value search via URL to Web Access/WebLink. The simple answer to your question is that a savvy user could replace the field value that gets passed with a different value that they type in manually.

 

Of course, security is still enforced, so users will only be able to access documents that they have rights to.

1 0

Replies

replied on November 18, 2013

It’s an interesting problem that has come up a few times in slightly different ways.  Of course any access to the Laserfiche repository through any client (web or desktop) will be restricted by the ACLs you have set up in Laserfiche.  Sometimes when putting together an integration in which Laserfiche is not the “primary” application, people sometimes realize that they can’t put all of their access control logic in Laserfiche.  (In this particular case, the question isn’t directly about accessing documents but about the types of searches that can be run, which isn’t something that can be secured in Laserfiche.)  This is primarily a concern when the integration is done with the web since anyone can edit the URL in their browser, but unless the machine is locked down even an integration with a desktop client is vulnerable to similar sorts of misuse.

 

There are a few ideas that might be usable in a situation like this.  Most of them require additional coding or integration work, so it’s up to you to decide if the problem is big enough to require a solution.

 

The first is to not try to prevent access, but to use Audit Trail to monitor access.  You would periodically run reports to determine if any access was “unauthorized”, possibly with a customized reporting tool.

 

Another solution is to prevent URL modification.  The idea here is that your interfacing application would cryptographically sign the URLs it generates, so that any attempts to change the URL result in an invalid signature.  It’s not feasible to do this with either WebLink or Web Access, but it could be designed in to a custom web document viewer.  See this forum post for some related discussion: https://support.laserfiche.com/ForumsFrames.aspx?Link=viewtopic.php%3ft%3d15888.

 

Finally, you might consider dynamically updating security in Laserfiche in response to events in the integrating application.  For instance when a case is assigned to a case worker, you could start a workflow that updates the security on the relevant folders and grants the access to the appropriate account.  Of course this requires that there are such events and an API to hook into.

1 0
replied on November 15, 2013

Thanks, Peter -

 

I forgot Web Link/Web Access acts like any other client, as far as the server is concerned.

 

Bill

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...