(416) 483-5219 sales@arnicasoftware.com Registration Log In
(416) 483-5219 sales@arnicasoftware.com

How to secure access to applications using web request filter in Arnica Platform

January 31, 2016 by Igor Lozhkin
Arnica Platform applications (WebReportWebPortalWebScript, etc.)  have various tools for securing access to resources, both declarative (authentication and authorization) and programmatic (condition scripts and business rules). Request filter is another method to secure and control access to application using declarative (no coding, or low coding) technique.

Request filters are defined in Arnica UnifiedLogon and may be selected per resource (report, form, portal page, web API, etc.). Once selected, request filter is engaged at earlier stage of resource instantiation, so request filter rules may be applied/validated before executing logic of a particular resource. 

Request filter may specify stopping request processing if certain conditions are met, or redirecting request to an alternative resource, or displaying custom content/message to the user. 

Multiple request filters may be selected per resource - each of them validating requests using their own rules. For example, one request filter may check that the request uses secure HTTPS channel and passes certain parameters via posted data, while another request filter may inspect parameters for certain dangerous content, for example, SQL code injection attack.

When multiple request filters are selected per resource, request filters are executed in their specified sequence and validation failure of any request filter may block request from reaching resource logic.

The following are validation rules which may be configured with request filter:
  • Include/exclude IP addresses
  • Include/exclude resources by their names (specific reports, forms, web APIs, etc.)
  • Allow/deny query string with certain patterns
  • Allow/deny HTTP referrers with certain patterns
  • Allow/deny browsers with certain patterns in browser agent string
  • Allow specified HTTP request methods (GET, POST, etc.)
  • Allow specified protocols (HTTP, HTTPS)
  • Allow requests from IP addresses in specified white list
  • Deny requests from IP addresses in specified black list
  • Allow requests only if any other validation logic specified in custom condition script was passed 
If request filter validation passed, the following are configurable options for what happens next:
  • No action - request filter passes execution to the resource, or to the next request filter
  • Redirect to other HTTP resource
  • Display custom content, saved with request filter definition, or from external file, or derived as a result of specified web request
  • Execute custom program script, which may engage any additional request processing and/or routing logic
If request filter validation fails, the following are configurable options for what happens next:
  • No action - request filter blocks further request processing
  • Redirect to other HTTP resource
  • Display custom content, saved with request filter definition, or from external file, or derived as a result of specified web request
  • Execute custom program script, which may engage any additional request processing and/or routing logic
Below is a screenshot of request filter properties page in the Arnica UnifiedLogon Administrator module:

Arnica_unifiedlogon_request_filter_properties_page.png