Question
JSC Sberbank of Russia - Ukraine
UA
Last activity: 21 Jan 2016 3:23 EST
Public Application for everybody in the Internet
Hi, Guys,
I have a request from Business to create a Public Application for everybody (non-authenticated users) in the Internet.
There are some questions, I want to discuss:
1. We are using IBM WebSphere Application Servers ND as a JEE platform for PRPC. Are there any recomendations/instructions from Pegasystems - how to protect PRPC cluster from Internet attacks. What is the components (and their configuration) I have to deploy in LAN-DMZ-Internet to make the protected IT landscape for PRPC.
I know Planing Concepts from IBM about deploying WebSphere Application Servers. We used configuration with IBM Http Server (IHS) in DMZ as Load Balancer and Proxy (without JEE Applications) to forward clients requests to Web-services throw FireWall to our App Servers in Corporate segment of LAN (like in Figure 5-6 below):
There are some others deploying configurations from IBM. And what is recommended by Pegasystems ?
Hi, Guys,
I have a request from Business to create a Public Application for everybody (non-authenticated users) in the Internet.
There are some questions, I want to discuss:
1. We are using IBM WebSphere Application Servers ND as a JEE platform for PRPC. Are there any recomendations/instructions from Pegasystems - how to protect PRPC cluster from Internet attacks. What is the components (and their configuration) I have to deploy in LAN-DMZ-Internet to make the protected IT landscape for PRPC.
I know Planing Concepts from IBM about deploying WebSphere Application Servers. We used configuration with IBM Http Server (IHS) in DMZ as Load Balancer and Proxy (without JEE Applications) to forward clients requests to Web-services throw FireWall to our App Servers in Corporate segment of LAN (like in Figure 5-6 below):
There are some others deploying configurations from IBM. And what is recommended by Pegasystems ?
This is very importent question because I need to show a User Interface on PRPC which contains Developer Portal and corporate flows/applications.
2. How to "authenticate" and allow to use my new Application to everybody in the Internet without login and password ? Just to collect user data or show some information.
Thanks for your help.
Hi Volodymyr,
1. Pega is a J2ee application and all standards for internet facing j2ee application is applicable here. both architectures seems to be fine. Please make sure sticky session is turned on at the load balancer and proxy level. consider SSL and URLEncryption.
2. use Single Sign On for authentication requirements(SAML, Siteminder etc..). use pega authentication service type 'PRCustom' to meet your authentication needs; it is customizable.
if you need additional help with the details, Pega professional services team could help design, implementation, scaling & performance testing.
JSC Sberbank of Russia - Ukraine
UA
Hello, Gopinathan,
SSO is not suitable for "authentication" everybody in the Internet. I just found info about "guest" user in the PRPC.
|
A guest user is an unauthenticated visitor to the PRPC system. A guest user may "arrive" through the browser interface or through a services interface. Most capabilities, RuleSets, activities, and other processing are available only to authenticated users, not to guests. However, your system can control guest capabilities through requestor type data instance and access role data instances. Guest users typically have access to rules in the RuleSets listed in the PRPC:Unauthenticated access group, as referenced in the Requestor type instance named pega.BROWSER. |
It's very usefull article "Customizing the Pega 7 login screen" where described how to use PRPC:Unauthenticated access group with new RuleSet for Guest access. It works.
Is it the right way to develop and distribute Public application in such "Unauthenticated" RuleSet for everybody ?
Hello, Gopinathan,
SSO is not suitable for "authentication" everybody in the Internet. I just found info about "guest" user in the PRPC.
|
A guest user is an unauthenticated visitor to the PRPC system. A guest user may "arrive" through the browser interface or through a services interface. Most capabilities, RuleSets, activities, and other processing are available only to authenticated users, not to guests. However, your system can control guest capabilities through requestor type data instance and access role data instances. Guest users typically have access to rules in the RuleSets listed in the PRPC:Unauthenticated access group, as referenced in the Requestor type instance named pega.BROWSER. |
It's very usefull article "Customizing the Pega 7 login screen" where described how to use PRPC:Unauthenticated access group with new RuleSet for Guest access. It works.
Is it the right way to develop and distribute Public application in such "Unauthenticated" RuleSet for everybody ?
Another way, I am thinking about, is to make automatic logon as described in "Access to PRPC Application by it's own URL" by using params in the URL like this: http://PRPCserver/prweb/PRServlet?UserIdentifier=UserName&Password=cnVsZXM=&pyActivity=Data-Portal.ShowDesktop
In this case we can run application from Access Group by default in UserName profile. The user will be authenticated, but everybody will create multiple sessions in PRPC under this UserName user. Is this way better than guest user modification ?
I can't belive I am the first who trying to create Public application in PRPC... May be there is a standard way to do this ?
Pegasystems Inc.
US
Hi Volodymyr,
You are not the first one trying to utilize PRPC in a public facing internet site. In fact https://pdn.pega.com/pega-web-mashup/introduction-to-using-pega-web-mashup-gadgets has been used by many of our clients (old name: IAC). There are many related articles from there. Please take a look when you get a chance.
Kevin
JSC Sberbank of Russia - Ukraine
UA
Hi Kevin,
Thanks for your answer. As I understand, IAC is used to embed the UI of PRPC Application into HTML page in the Corporate site. But it doesn't help us to authenticate "everybody users". Am I right ?
Pegasystems Inc.
US
No, but if you know your requirement about 'everybody user', you should be able to set it up to a special access group in terms of privileges, etc. You always need a user/pwd for this approach. Pending on your requirement, you may also want to check DWA (https://community.pega.com/sites/default/files/help_v719/procomhelpmain.htm).
JSC Sberbank of Russia - Ukraine
UA
Hi Kevin,
Thanks for trying to help, but, I'm afraid, DWA is not suitable for complex public Application. It based on one-time generated URL and has many UI limitations.
I think about dynamicaly generated users with right Access Group made by model user template.
Pegasystems Inc.
US
Hi Volodymyr,
You mention in your initial post
This is very importent question because I need to show a User Interface on PRPC which contains Developer Portal and corporate flows/applications.
Are you saying your generic guest users are going to have Dev portal access? This is a very bad idea. From there, I can build my own records to do pretty much anything, so you're making Pega Platform an attack vector for everything connected to it.
Assuming you meant that you want to have unauthenticated/generic users get to a limited subset of the application, while also having properly authenticated users with full dev portal access, then yes, you could do something with the URL to get the generic users logged directly in under some, extremely limited access group (access deny rules are your friend here), and a separate URL for the users who need to be authenticated. I'm not sure why you would be dynamically generating users. Are you saying a random person comes in from the internet and creates a username/password? If so, then your purely generic user should probably be limited to the logon screen and the create a user flow. From there, you actually would want to require authentication, but the operators created would still be locked down as much as possible to keep them from seeing/doing things that they shouldn't.
Thanks,
Mike
JSC Sberbank of Russia - Ukraine
UA
Hi Mike,
Are you saying your generic guest users are going to have Dev portal access?
No, I just say that PRPC containes DEV Portal, I can't turn off. And everybody from the Internet can try to get access to it by Hacking methods. So, I think how to protect my PRPC from unathorized access DEV Portal.
Assuming you meant that you want to have unauthenticated/generic users get to a limited subset of the application, while also having properly authenticated users with full dev portal access
Yes, exactly.
My current idea is to:
---- Make possible to run some rules by unathenticated users ----
1. Create new RuleSet for using by unathenticated users ("unathenticated:01-01-01").
2. Create Access Group for unathenticated users ("Guest" with Role "PegaRULES:guest" and Production RuleSet "unathenticated:01-01").
3. In Requestor Type "BROWSER" add my Access Group "Guest".
4. Save authenticated activity ("IACAuthentication") from one of PRPC servlets ("IAC") to new RuleSet ("unathenticated:01-01-01").
---- Make fake authentication for Internet users ----
5. Create Operator ("UserForPublicApp1") with default Access Group created for my public Application ("PublicApp1").
6. Change authenticated activity ("IACAuthentication") in RuleSet ("unathenticated:01-01-01") to:
- parse Browser URL and analyse the parameters (if present "RunApp=PublicApp1");
Hi Mike,
Are you saying your generic guest users are going to have Dev portal access?
No, I just say that PRPC containes DEV Portal, I can't turn off. And everybody from the Internet can try to get access to it by Hacking methods. So, I think how to protect my PRPC from unathorized access DEV Portal.
Assuming you meant that you want to have unauthenticated/generic users get to a limited subset of the application, while also having properly authenticated users with full dev portal access
Yes, exactly.
My current idea is to:
---- Make possible to run some rules by unathenticated users ----
1. Create new RuleSet for using by unathenticated users ("unathenticated:01-01-01").
2. Create Access Group for unathenticated users ("Guest" with Role "PegaRULES:guest" and Production RuleSet "unathenticated:01-01").
3. In Requestor Type "BROWSER" add my Access Group "Guest".
4. Save authenticated activity ("IACAuthentication") from one of PRPC servlets ("IAC") to new RuleSet ("unathenticated:01-01-01").
---- Make fake authentication for Internet users ----
5. Create Operator ("UserForPublicApp1") with default Access Group created for my public Application ("PublicApp1").
6. Change authenticated activity ("IACAuthentication") in RuleSet ("unathenticated:01-01-01") to:
- parse Browser URL and analyse the parameters (if present "RunApp=PublicApp1");
- make current Requestor authenticated in PRPC by Operator ("UserForPublicApp1").
It's possible to add new "authentications" for public applications in PRPC by adding additional logic in my authenticated activity.
What do you think about this plan ?
It seems no standard way (servlet?) to make applications available for Everybody in the Internet. Just by custom development ?
Is it safe to save authenticated activity in RuleSet (like "unathenticated:01-01-01") available for everybody access ?
Is it possible to make DEV Portal application available to access by special "administrative" port different from other custom applications ? If yes, it's possible to protect access to DEV Portal by FireWall restrictions for Internet users. And allow access to it from INTRAnet for corporate Admins ?
Many questions ...
May be you can ask PRPC Top Developers to fix this problems in future versions.
Pegasystems Inc.
US
Hey Volodymyr.
We have a similar requirement and we also following steps that you mentioned above.
In our authentication activity we would change the context of unauthenticated requester by activity step method Param.pyOperPage =@java(“mysteppage”), in authentication activity, and let Pega subsequently kick of default activity (Data-Portal.ShowDesktop) in operator profile, to open desired Portal.
However, my client is not allowing to use the SnapStart URL, that you have used, as they don't allow passing of, even if its base64 encoded, password, as query string. So, we are using HTTP Header token, to pass the operator ID. Thru a java step, we can get the HTTP Token, and then use to change the requester context using Param.pyOperPage = @java(“mysteppage”), to open desired portal.
Please share, if you were able to Implement the above design and Authentication/Authorization mechanism,
Thanks much.
Uttam
Pegasystems Inc.
IN
would IAC (Pega mash up or self service) works?
Please share your thoughts/comments, Thank you!
psahukaru