Security
By: James Reynolds - Revised: 2006-06-08 devinFileMaker Pro handles security two ways: either the by using the FileMaker Pro Access Privileges or using the Web Security Database. The Web Companion Configuration dialog box allows you to switch between the two.
The Web Companion Configuration dialog box
The Web Companion has two major flaws: 1) It is too simple. 2) It will serve any file that is within the web folder to anybody.
1) Because the Web Companion serves data based on form or URL submissions, it is fairly easy to extract data from a database. Users could type in their own URLs and get FileMaker to do all kinds of things. That is the main problem: users with different access privileges. The Web Companion is too simple to restrict the users more than just to basic requests. The only fix is to try to employ
[FMP-If:CurrentClientAccess.eq.2]
show secure stuff
[FMP-Else]
not allowed
[/FMP-If]
show secure stuff
[FMP-Else]
not allowed
[/FMP-If]
where CurrentClientAccess is a field that has to be calculated from a script that is called from the referring page. But then the user must have script access, which may be something you don't want...
2) Anyone in the world, if they know or can find out the path to a format file, can simply type the URL in and the Web Companion will serve the format file code with all of the CDML tags. This means you can't hide anything in a format file UNLESS you make it a database field (this way, you will at least hide code from people with out passwords--but of course, CDML tags don't work if they are in fields, they must be in the format file).
SOLUTION:
Besides writing your own web application server, you could invest in a third party web application server like Lasso, Tango (which are both made to be used with FileMaker Pro), or other third party programs.
I am not sure which one is best, but they are better than the Web Companion. For example, Lasso has much more [If-] tags options that can be used to secure certain data or text. Lasso also has filtering options for serving files. It just wont serve any file to anyone who can type in the file URL.
Web Security Database
Using the Web Security Databases makes managing users easy and scriptable (even editable over the web, which is not really a good idea, but...). However, it is debatable if it is better than using the FileMaker Pro Access Privileges.
There are some workarounds which involve adding fields to the Web Users databases and creating relationships. In your database, create a field that is either an auto-enter or calculation field that displays the external function: "External ("Web-ClientName", 1)". Relate this field to the field in "Web Users.fp3" called "User Name". Then you can set up semi-restrictions for that user based on extra fields that you create.
For more information, check the documentation that comes with FileMaker Pro. Also, if you check the FileMaker Pro user groups, they ask about these same security issues, but there aren't many answers.
2) Anyone in the world, if they know or can find out the path to a format file, can simply type the URL in and the Web Companion will serve the format file code with all of the CDML tags. This means you can't hide anything in a format file UNLESS you make it a database field (this way, you will at least hide code from people with out passwords--but of course, CDML tags don't work if they are in fields, they must be in the format file).
SOLUTION:
Besides writing your own web application server, you could invest in a third party web application server like Lasso, Tango (which are both made to be used with FileMaker Pro), or other third party programs.
I am not sure which one is best, but they are better than the Web Companion. For example, Lasso has much more [If-] tags options that can be used to secure certain data or text. Lasso also has filtering options for serving files. It just wont serve any file to anyone who can type in the file URL.
Web Security Database
Using the Web Security Databases makes managing users easy and scriptable (even editable over the web, which is not really a good idea, but...). However, it is debatable if it is better than using the FileMaker Pro Access Privileges.
There are some workarounds which involve adding fields to the Web Users databases and creating relationships. In your database, create a field that is either an auto-enter or calculation field that displays the external function: "External ("Web-ClientName", 1)". Relate this field to the field in "Web Users.fp3" called "User Name". Then you can set up semi-restrictions for that user based on extra fields that you create.
For more information, check the documentation that comes with FileMaker Pro. Also, if you check the FileMaker Pro user groups, they ask about these same security issues, but there aren't many answers.
- Documentation
- Administration
- Authentication
- General Software
- Hardware
- Miscellaneous
- Multimedia
- Networking
- Operating Systems
- Outside Presentations
- Programming & Scripting
- Security
- Servers
- Short Courses
- System Deployment
- System Utilities
- What's New
©2022 - University of Utah -
Marriott Library -
ITS - Apple Infrastructure
Disclaimer - 295 South 1500 East, Room 1705J, SLC, UT 84112 - 801.581.6494