409 86 213KB
English Pages 20 Year 2001
Securing data on the Web You should consider security for your FileMaker® Pro databases whenever they can be accessed over any type of network, whether peer-to-peer or for access from a web browser. Design your databases with your security needs in mind. You might need to maintain public and private data in separate files with separate levels of access. For example, if you have a database that contains all of your customer data, including credit card and shipping information, this data is most secure if it is never shared over the Web. However, this can be impractical. If you want to shield your customers’ credit card information while making their shipping addresses available for verification, one method is to create a separate database containing all of your customer ID numbers. Create a relationship from this database to your master database, and display only the related fields that you want to expose to your customers. This secondary database can then be shared over the Web, while your master database can remain offline. Note FileMaker Pro doesn’t provide password encryption. To provide security for your database passwords over the Web, consider installing Secure Socket Layer (SSL) protection, which is available from third-party vendors and supported by the FileMaker Pro Unlimited software’s Web Server Connector.
Protecting published databases When you publish a database, you can limit who can access your database and the tasks that users can perform:
1 If you specify FileMaker Pro access privileges for your database, those same access privileges are in effect when you publish your database on the Web. When web users open the database in their browser, they enter the same password they use to open the file in FileMaker Pro. 1 1 1
You can allow or prevent remote administration.
1
You can select web styles that only allow users to search your database or enter new records.
You can specify the IP addresses that can request data from the Web Companion.
You can specify a layout to limit the fields that web users can access. (Web users can access all records in the open database.)
Access privileges vs. the Web Security Database You can protect FileMaker Pro data published on the Web using either FileMaker Pro access privileges or the FileMaker Pro Web Security Database. Access privileges are the best choice for most database security needs, and the only security choice for sharing databases over a local area network. If you’re sharing data on an intranet or the Internet, you can use either access privileges or the Web Security Database.
1 If you’re doing Instant Web Publishing, use access privileges. 1 If you’re doing Custom Web Publishing, you can use either access privileges or the Web Security Database.
2 Securing data on the Web
Important In FileMaker Pro 5.5, you can now use access privileges to limit access to records on a record-by-record basis. You no longer need to use the Web Security Database for record-by-record security. See “Protecting specific records using access privileges” on page 3 for more information on limiting access on a record-by-record basis. Use the Web Security Database or access privileges for databases accessed via a web browser
Use FileM aker Pro access privileges for peer-to-peer netw orking
FileM aker Pro 5
FileM aker Pro 5
Web brow ser Invoices.fp5
Customers.fp5
Here is a comparison of access privileges and the Web Security Database: Feature
Supported by FileM aker Pro Supported by FileM aker Pro access privileges Web Security Database
Password protection
Yes
Yes
User ID/User name verification
No.
Yes
Disallow searching using a specific field
No
Yes
Administer security privileges remotely
No
Yes
Security for a field across an entire database Yes
Yes
Security for a particular record
Yes
Yes
Security for a field by password
Yes
Yes
Scripting
Yes – Scripting capabilities reflect the privileges associated with a particular password, i.e., if a password permits creating new records, then scripted creation of new records is allowed.
Yes – Scripting capabilities are Boolean, i.e., you can either enable or prevent a user from performing all scripts.
Control browsing of records
Yes
Yes
Control updating of records
Yes
Yes
Control deleting of records
Yes
Yes
Field-level security determines how data in a particular field is secured. For example, you can limit all access to a field that stores credit card numbers, or return as search results only those records that exactly match your search criteria.
Securing data on the Web
3
In the Web Security Database, security for a particular field is administered via the DontShow, DontSearch, and ReadOnly checkboxes. In access privileges, your field-level security choices are Accessible, Not Accessible, and Read Only. In the Web Security Database, you can secure a particular record with ExactSearch, ExactUpdate, and ExactDelete. For example, you can use ExactSearch to allow an individual access to his or her own account information, but prevent that individual from seeing the records of others. In FileMaker Pro 5.5 access privileges, you can define passwords to secure the browsing, editing, deleting, and creating of specific records. For Custom Web Publishing, the Web Security Database can be used with CDML, XML, and the JDBC driver available with the FileMaker Developer software. Important The layout-level security available via access privileges, where an entire layout may be secured as Accessible, Not Accessible, or Read Only, is not recognized by the Web Companion. See the FileMaker Pro documentation for information on Instant Web Publishing. See the FileMaker Developer software and FileMaker Pro Unlimited software documentation for information on Custom Web Publishing. For more information on the Web Security Database, see “Custom Web Publishing using the Web Security Database” on page 7.
Protecting specific records using access privileges With the new record-by-record security in FileMaker Pro 5.5, you use calculation formulae to specify whether users can browse, edit, or delete specific records, based on password privileges. This record-by-record security is available for databases published on the Web, as well. You can also completely turn off browse access. If you remove browse access, users will still be able to perform certain layout and script definition activities, provided those privileges have been assigned to the password. Any scripted commands performed through Instant Web Publishing are subject to the same limitations as scripted commands performed on the desktop. To limit the Browse records, Edit records, or Delete records privilege: 1. Define a password (choose File menu > Access Privileges > Passwords). 2. For Privileges, select Brow se records, Edit records, or Delete records, or a combination of those
privileges, then choose Limited from the list next to the privilege. 3. In the Specify Calculation dialog box, define a Boolean calculation. For each record in the
database, access is granted when the calculation evaluates to True or to a non-zero result, and access is denied when the calculation evaluates to False or 0. For example, to limit users' access to only those records they have created: 1. Define a text field named Record_created_by.
4 Securing data on the Web
2. Set the auto-entry options for that field to auto-enter the name of the record's creator (choose File
menu > Define Fields, select the Record_created_by field, then select Options > Auto-Enter > the Creator Name). 3. Define a password with the Brow se records access privilege limited to records that match the
calculation: Record_created_by = Status(CurrentUserName) The user will only have Browse access to records for which the above calculation evaluates as True.
Additional details about limiting access on a record-by-record basis These additional notes are intended to help database designers integrate limited access privilege passwords into more complex database solutions.
Limited access and related data Important Because access privileges in the source and destination files are evaluated before any data is updated using Lookup or Relookup, consider the implications of limiting Browse and Edit record access when using lookups.
1 Related fields in a record will be visible to users if they have Browse access to the key field in both the current file and the related file. As with FileMaker Pro 5, Relookup and Lookup do not generate errors if related record can't be edited. Only the data in records that the user has appropriate access to are updated. The privileges in both the source and destination databases are considered before any data is replaced.
1
If the calculation you are using to limit access uses data from a related database, you must have access to the related database. In the case of self-related data, read access is temporarily given to the data to allow the formula to evaluate correctly.
1
1 When a Find is performed on a relational join, the found set is filtered to eliminate records for which the user does not have browse privileges. Filtering is not performed on a Show All Records command or when omitting records, although data in any records for which the user's access is restricted will not be visible to the user. 1 If browse access has been limited, the contents of value lists based on fields and relationships are filtered so that users do not gain access to confidential information. This filtering is also performed on the design function ValueListItems(). Limited access and record deletion
1 If the limits on Brow se records and Delete records are different, or if there are no limits placed on the privilege to delete records, it may be possible for a user to delete a record for which he or she does not have browse access. The database designer must impose limits on Delete records to prevent the deletion of records. A warning is displayed when a database designer creates or modifies a password so that it has limits on browse but no limits on delete.
Securing data on the Web
5
1 Delete All Records and Delete Found Records in the Records menu are enabled unless Delete Records has been deselected for the current password in the Define Passwords dialog box. If one of these commands is issued but because of limited access to the Delete Records privilege some of the records cannot be deleted, an alert is generated, indicating the number of records that could not be deleted.
Limited access and brow se and editing privileges
1 Users with edit privileges can only edit records for which they also have browse privileges. This is because there is no way for users to edit records that they cannot browse.
1 A user with limited access privileges may change the contents of a record and, perhaps inadvertently, deny themselves access to that record. Changes take effect as soon as a user exits a record, and a user making changes of this type will not be able to return to a record to which they previously had access. For example, a user may initially be able to edit a record, but if the user makes a change to a record's content that changes the result of the edit limiting calculation so that it evaluates to false, that user will no longer be able to edit that record once he or she exits that record. 1 It is possible for a user to duplicate records that they cannot browse, unless you design the password to prevent duplication. In this situation, the restricted data is not duplicated, however, other operations, such as auto-entered data, can potentially occur. 1 Because record-level access doesn't affect data stored at the file level in unstored calculation fields, summary fields, and global fields, this data is still displayed, even if the browse privilege is limited. The results of any summary fields, however, exclude data that is restricted because of browse limits. Limited access and Finds
1 Records are filtered when a Find is performed on a database that was opened with a password that limits browse access. The found set is filtered so that it contains only records that meet the browse requirements and that match the Find criteria used. The result of Status(CurrentFoundCount) will reflect the fact that records have been filtered from the found set. This filtering is also performed on the design function ValueListItems(). Other notes about limited access
1 Users who do not have browse access to a record will still see the record, but the field content within the record will be replaced with the words . 1 Users cannot use the View Index dialog box when the file is opened with a password that limits browse privileges. 1 If a Replace, Relookup, or Spell Check is performed and some of the records do not have browse access, then those records are ignored. 1 Two status functions, Status (CurrentRecordAccess) and Status (CurrentLayoutAccess), have been added to help you determine access to particular records and layouts.
6 Securing data on the Web
Security tips Keep these security issues in mind when publishing databases:
1 A dedicated machine is the best platform to use for hosting FileMaker Pro databases on the Web. 1 Enable the Web Companion plug-in only if you want to give your users the ability to access a database over the Web.
1 1
Allow users access to only the data they need to see or work with.
Users who open a database with the Export records access privilege, including FileMaker Pro guests, can publish the database (by enabling FileMaker Pro Web Companion on their computers). Use caution when granting access privileges to guests.
1 Due to the way web servers work, all files in the Web folder can be deleted by knowledgeable web users. Don't put sensitive documents or databases inside the Web folder. (The Web folder is located in the FileMaker Pro 5 folder.) 1 To prevent a published database from displaying on the built-in Instant Web Publishing page, rename the database to include an underscore character at the end of the filename, before any filename extension (for example, Orders_ or Orders_.fp5). If you change the filename, you may need to change references to the file in relationships and scripts. If you specify a layout for web publishing, web users can only access the fields on the specified layout. However, knowledgeable users can use features available with FileMaker Developer software to change the layouts that they access.
1
Do not rely on hiding a field on a layout or in a format file as a means of security, as a field that is not displayed is not necessarily secure.
1
1 If you publish a layout with related fields, they appear when a web user opens the master file. The related file opens with the privileges associated with the master file’s password. 1 If you have an open database on a host computer, but you don’t want to publish it, be sure Web Companion Sharing is not enabled for that database. Enable Instant Web Publishing only if you’re using the Instant Web Publishing feature. It is not necessary to enable Instant Web Publishing in order to use Custom Web Publishing.
1
1 It is not necessary to enable FileMaker Pro Multi-User sharing or OS-level file sharing to share FileMaker Pro databases over the Web. It is not necessary to specify TCP/IP as the Network Protocol in FileMaker Pro application preferences. Enable these technologies only if you need them for other types of network access. 1 Enable Access Logging (in Web Companion Configuration), as this log provides a means to audit activity. 1 Do not enable Web Companion sharing for the Web Security Database unless you plan on using the remote administration feature. 1 Do not enable remote administration unless necessary. When enabled, remote administration applies to all databases hosted from a particular machine, and may not be configured to work only with specific databases.
Securing data on the Web
7
1 When you display static web pages (HTML files, images, or pictures that do not change) in a browser, you cannot use access privileges or the Web Security Database for security, though the pages are protected by client IP address filtering. The following CDML tags, new in FileMaker Pro 5, have been disabled: -fmtfield, -mailfmtfield, -errorfmtfield.
1
1 Avoid leading and trailing spaces in passwords you set up under FileMaker Pro access privileges for web sharing. Such spaces are not compatible with how browsers parse passwords. Netscape Navigator and Internet Explorer password-entry routines strip leading and trailing spaces from passwords submitted over the Web. Also avoid using leading and trailing spaces in the remote administration password.
1 A web client using a shared default create-only password under FileMaker Pro access privileges may have edit privileges for other clients' records created during a current session. If you design databases such as guestbooks or posting boards for multiple users, you should not assign the same default create-only password for multiple users. 1 When creating web pages that submit requests for data, always use the POST method to send these statements to the server. Do not use the GET method, as it is more visible. The -dbnames command returns the names of shared databases without requesting a user ID or password.
1
1 Whenever possible, use secure socket layer (SSL) protection on your web server machine, as this provides the highest degree of security. This is especially important when protecting sensitive data, as SSL is one of the best defenses against the password “sniffer” applications often used by hackers. SSL protection is available from third-party vendors. Important Do not store databases in the FileMaker Pro Web folder, as any databases in this folder are visible over the Web. Exceptions to this rule are if you need to use remote administration features for them, such as the -dbopen or -dbclose CGI commands. Such features are only available to databases stored in the FileMaker Pro Web folder or below. All databases stored in the FileMaker Pro Web folder should be password-protected. When you use -dbopen to serve databases over the Internet, in order to secure both the remote administration password and the database password, you must use the Web Server Connector (available in the FileMaker Pro Unlimited software) and SSL protection. Passwords are not encrypted, and so are not secure.
Custom Web Publishing using the Web Security Database The FileMaker Pro Web Security Database is a set of three related databases working together to protect your databases published on an intranet or the Internet. Designed to work with your custom web pages, the Web Security Database lets you provide user name and password protection to multiple FileMaker Pro databases.You can optionally set specific user permissions and field restrictions for each database, and update or change those settings directly from your web browser.
8 Securing data on the Web
With a Web Security user name and an optional password, web users can do one or more of the following in your published database(s):
1 Browse records 1 Create records 1 Edit records 1 Delete records 1 Perform scripts 1 View all except certain restricted fields 1 Search all except certain restricted fields 1 Edit all except certain restricted fields 1 Enter a special value in a restricted field and view, edit, delete only those records that contain the exact matching value
1
Modify or delete records containing exact matching values in the restricted field
Important The Web Security Database is not designed to work with FileMaker Pro Instant Web Publishing. The ExactSearch, ExactUpdate, and ExactDelete field restrictions do not function properly in Instant Web Publishing. For information about creating custom web pages using the FileMaker Pro Unlimited or FileMaker Developer products, go to the FileMaker, Inc. web site at www.filemaker.com. In FileMaker Pro, choose Help menu > FileM aker on the Web.
How the Web Security Database w orks The Web Security Database includes two types of files: databases for providing web security and HTML pages for changing the web security settings remotely. Web security is controlled by a main database called Web Security.fp5 and two related databases called Web Users_.fp5 and Web Fields_.fp5. When users attempt to access your protected database on the Web, the web browser displays a user name and password dialog box.
Securing data on the Web
9
Once a user name and password are established, they are sent by the web browser with every request to the web server. The FileMaker Pro Web Companion checks these values against the settings configured in the Web Security Database, and then determines if any user permissions or field restrictions exist for a specific action.
Installing the Web Security Database When you install FileMaker Pro, the Web Security Database files are automatically installed in a Databases folder in a folder named “Web Security” located inside the FileMaker Pro application folder. If the folder isn’t there, then you’ll need to do a custom install. See the FileMaker Pro Getting Started Guide for information on installing FileMaker Pro Web Support, which includes the Web Security Database. Note Do not install the Web Security Database to the Web folder.
Enabling the Web Security Database The Web Security Database must be open before you can enable it in FileMaker Pro. 1. In FileMaker Pro, choose File menu > Open and open the Web Security.fp5 file.
FileM aker Pro/Web Security/Databases/Web Security.fp5
The related files, Web Users_.fp5 and Web Fields_.fp5, also appear in separate (usually minimized) windows (Windows) or in the Window menu (Mac OS).
2. Choose Edit menu > Preferences > Application. 3. In the Application Preferences dialog box, click the Plug-Ins tab (or choose Plug-Ins from the
pop-up menu).
1 0 Securing data on the Web
4. Select the Web Companion checkbox to enable the Web Companion plug-in.
Note If Web Companion doesn’t appear in the Application Preferences dialog box, you must install the Web Companion plug-in (see the FileMaker Pro Getting Started Guide). You only need to enable the Web Companion plug-in once for the FileMaker Pro application. To do so, you must have a connection to the Internet or an intranet. (For information, see chapter 14, “Publishing databases on the Web” in the FileMaker Pro User’s Guide.) 5. With Web Companion selected, click Configure. 6. In the Web Companion Configuration dialog box, make sure that Enable Instant Web Publishing is not selected (the Web Security Database is not designed to work with FileMaker Pro Instant Web Publishing). 7. Select Web Security Database to enable it.
Note The Web Security Database option is not available (dimmed) when the Web Security.fp5 database is not open.
8. For Remote Administration,select Disabled if you do not plan to do remote administration.
Securing data on the Web
11
9. For Remote Administration, select Requires passw ord and enter a password in the box if you want to access the Web Security Database settings later from the Web. Requiring a password for remote administration ensures that unauthorized web users cannot gain access to the Web Security Database and other files located in the Web folder. It is not recommended that you do remote administration without a password. See “Changing Web Security settings remotely from the Web” on page 14. 10. Click OK to close the Web Companion Configuration dialog box. 11. Click OK to close the Application Preferences dialog box. 12. Choose File menu > Sharing and make sure that the database is shared via the Web Companion.
Assigning Web Security to your databases To protect one or more databases with the Web Security Database, you create a record for each database. In each record, you set up user names, passwords (optional) and permissions for each user, and field restrictions for each database. 1. In the Web Security.fp5 database, create a record for each database you want to protect by choosing Records menu > New Record. 2. In the Database Name field of each new record, type the name of the database you want to protect.
Or, type All Databases in the Database Name field of one record if you want to make the same user permissions and field restrictions for all of your published databases.
3. If the database has a password set up with FileMaker Pro access privileges, and you want that password's restrictions to be added to those of the Web Security database, type that password in the Database Passw ord field. In most cases, you should type the master password here.
1 2 Securing data on the Web
Note Any access privilege restrictions placed on the Database Password in FileMaker Pro override the Web Security Database permissions. Web access privileges can never be greater than the privileges provided by the Database Password, regardless of the settings in the Web Security Database. 4. Type the first user name in the User Name field. 5. Type a password in the User Passw ord field if you want to require one for the user.
When creating a password, use only the characters A through Z, numerals, or a combination of the two. Do not include spaces in your password. This minimizes the possibility that you will choose characters that may be interpreted incorrectly over the Web. Important Do not use leading or trailing spaces in user names or passwords for remote administration, access privileges, or the Web Security Database. 6. Select one or more of the following permissions for the user. Select this user permission To allow the specified w eb user to do the follow ing Browse
Browse records in the database, subject to any field restrictions set below
Create
Add records to the database, subject to any field restrictions set below
Edit
Modify records in the database, subject to any field restrictions set below
Delete
Remove records from the database, subject to any field restrictions set below
Scripts
Run scripts defined in the database
7. Repeat steps 4 through 6 to add permissions for other users.
You can type All Users in the User Name field to create privileges that apply to any web user. These privileges override more restrictive privileges set for other users. Therefore, if you set All Users to be able to browse, create, and edit records, then any other user names you enter for this database can also browse, create, and edit records regardless of the user permissions you set for them. Leave the User Passw ord field blank if you’re setting privileges for All Users. (FileMaker Pro displays an alert if you attempt to enter a password for All Users.)
Securing data on the Web
13
8. In the Field Name field, type the name of any field that you want to restrict for this database (be sure to type the defined field name, not the name of a field label) and select one or more of the following restrictions for the field. When this field restriction is selected
Web users can do the follow ing
DontShow
View all fields in a record except this field. If a field with this restriction appears in the web page, a blank value is returned as if the field were empty.
DontSearch
Specify search criteria in any field except this field. Web users cannot search for data in this field.
ReadOnly
View but not edit data in this field.
ExactSearch
Retrieve only those records containing exact matching values to the search criteria specified for this field. A record is not returned unless an exact match is made with the field’s value in the database. If ExactSearch is assigned to a field, the “equals” operator must be used with that field when it is present in a search action. Also, if the ExactSearch restriction is set for any field, then the -findall and -findany actions cannot be used with that database.
ExactUpdate
Edit only those records containing a value that exactly matches the value specified by the user for this field in a search. Web users cannot edit this field.
ExactDelete
Delete only those records containing a value that exactly matches the value specified by the user for this field in a search. Web users cannot edit this field.
Protecting specific records in a database using the Web Security Database Important In FileMaker Pro 5.5, you can now use FileMaker Pro access privileges to handle adding, deleting, browsing, and editing records on a record-by-record basis. See “Protecting specific records using access privileges” on page 3 for more information. The ExactSearch, ExactUpdate, and ExactDelete field restrictions provide record-level security for your databases on the Web. You can limit web user access to specific records in your databases by creating a special field value for those records that only authorized users know, and applying the ExactSearch, ExactUpdate, or ExactDelete field restrictions to the field. Web users are required to enter the correct value in a search, and only those records containing the value can be displayed, edited, or deleted. By adding the Don’t Show field restriction to the field, unauthorized web users will not be able to see the value when the records are displayed. Note When using the ExactSearch restriction for any field, the -findall and -findany actions cannot be used with that database. The ExactSearch, ExactUpdate, and ExactDelete field restrictions can also be applied to related fields by adding the relationship name and a double colon to the field name. Web users must enter a non-blank value for the related field when searching the database. The value cannot contain any FileMaker Pro wildcard or range search characters (*, @, !, =, //, “..”, or “...”).
1 4 Securing data on the Web
To protect specific records in a database using the Web Security Database: 1. In FileMaker Pro, define a field in the database to contain the special field value.
YourSecretCode: 2. Enter the special field value for the field in each specific record you want to protect.
YourSecretCode: ch5rries 3. In a text editor or HTML authoring program, create an HTML text field in your search web page
using the same name as the field you defined in the database.
Enter your secret code here