Security Settings Setup
Use Security Settings to modify the security configuration for the solutions within your tenant.
Since AppBase version 6.7R2+ to access the Company Setup section, the user needs to have the role System: Allow Company Setup.
To get more info about AppBase roles, please, refer to this article Managing Roles
Steps
- On the top right, navigate to → Company Setup
- On the left, navigate to Company → Security Settings
- Click on the Edit icon to edit any of the settings
Setting | Description |
---|---|
ASP.NET Session Timeout | Display default ASP.NET Session Timeout for the AppBase. |
Session Timeout | Sets the lifetime for the user session timeout |
Session Sliding Expiration | Sliding expiration resets the expiration time for a valid authentication cookie if a user makes a request again during the session. |
Require HttpOnly attribute | The HttpOnly attribute is a flag added to cookies and helps mitigate cross-site scripting (XSS) attacks. |
Disable session timeout warning popup | Don't show a warning popup before the end of the user's session |
Timeout warning popup before session expiration appearing value | Sets the time to display a warning popup before the end of the user's session |
Force logout on session timeout | If the user was inactive during the session, then he will be forcibly logout |
Security Token expiration timeout | Sets the lifetime for the Security Token |
Web DAV Access Token expiration timeout | Since AppBase version 6.7 R2, you can configure a WebDAV token expiration timeout. This makes the WebDAV session independent from AppBase session. To see more details see Web DAV configure access token timeout below. |
Lock sessions to the IP address/hostname from which they originated or from Local Network | Responsible for token IP validation, i.e. the session is for the same IP address. |
Restrict access to javascript configuration to selected hostnames | Set a list of allowed hostnames (referrer) for the javascript configuration file (ConfigJS), otherwise, the user gets the status "Forbidden". |
Allow cross-domain communication with AJAX request for selected domains. | Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers. Use comma characters to separate multiple URLs or use the wild character (*) to allow access to affected resources from any outside domains. Example |
Allow to render pages in a frame, iframe or object for selected domains (CSP) | By default, AppBase does not allow to render its pages inside external website's frames, iframes, and other containers. To achieve this kind of restriction AppBase uses content-security-policy and x-frame-options response headers. If you want to render AppBase public or portal pages on any external website inside an iframe container you need to white-list your partner(s) URL(s). Use comma characters to separate multiple URLs. Example https://localhost:4430,http://localhost:8080 |
API IP Whitelist | API IP Whitelist - a list of IP addresses that are granted access to use the AppBase API |
Tenant Resource Validation | List the validations for files uploaded as resources (Pattern, Allow, Deny, Max File Size (Kb)) Contact support for additional instructions about the Resource upload validation configuration. |
Web DAV Configures Access Token Timeout
In AppBase 6.6.18 and AppBase 6.7 R2 configurable WebDAV token expiration timeout was introduced. It makes WebDAV sessions independent from AppBase sessions.
The timeout can be configured on the Company → Security Settings page.
Set any valid value for "Web DAV Access Token expiration timeout". See image below
To use this configurable Web DAV timeout some additional changes are required in the solution.
Your solution must use getWebDAVAccessToken: function(url, domain, onSuccess, onFailure) site.js function instead of the old one getWebDavDocumentUrl: function(url, domain).
Example:
Tested for IE, CHROME, FIREFOX browsers:
//Call following function to get correct WebDAV url for your document
//provide cms document url, onSuccess and onFailure handler functions as argumnts
//you can pass an empty domain parameter value. In that case AppBase will calculate solution domain automatically
var u = Ecx.getWebDAVAccessToken(YOUR_CMS_URL, '', davSuccess, davFailure);
//onSuccess handler example. it will parse obj.WebDavUrl url and open it in ms word application
function davSuccess(args) {
var obj = Ext.decode(args.responseText);
var webDAVURL = obj.WebDavUrl;
if (Ext.isIE) { // this is IE
var ed;
var progID = activeX_getProgID(webDAVURL);
try {
ed = new ActiveXObject('SharePoint.OpenDocuments.3'); // use version 2 for MS Office 2003 or 1 for older versions
} catch (err) {
window.alert(t('Unable to create an ActiveX object to open the document. This is most likely because of the security settings for your browser.'));
return false;
}
if (ed) {
var result;
try {
result = ed.EditDocument(webDAVURL, progID);
} catch (error) {
window.alert(t('EditDocument error') + error.name);
}
if (!result) {
window.alert(t('Cannot instantiate the required ActiveX control to open the document. This is most likely because you do not have Office installed or you have an older version of Office.'));
}
return false;
} else {
window.alert(t('Cannot instantiate the required ActiveX control to open the document. This is most likely because you do not have Office installed or you have an older version of Office.'));
return false;
}
} else {
try {
var containerId = '_sharePointPluginContainer';
var container = Ext.get(containerId);
if (!container) {
container = new Ext.Element(document.createElement('div'));
container.id = containerId;
container.setStyle({
width: '0px',
height: '0px',
position: 'absolute',
overflow: 'hidden',
top: '-1000px',
left: '-1000px'
});
Ext.getBody().appendChild(container);
}
if (!container.first()) {
var domObj = Ext.DomHelper.createDom({
tag: 'object',
type: 'application/x-sharepoint',
style: {
visibility: 'hidden',
width: '0px',
height: '0px'
}
});
container.appendChild(new Ext.Element(domObj));
}
var shpo = container.first().dom;
if (!shpo.EditDocument(webDAVURL)) {
window.alert(t('Cannot edit file.'));
return false;
}
} catch (error) {
var linkId = '_sharePointLink',
extension = webDAVURL.split('.').pop(),
action = 'ofe',
linkContainer = Ext.get(linkId),
extensions = {
'xlsx': 'ms-excel',
'xls': 'ms-excel',
'docx': 'ms-word',
'dotm': 'ms-word',
'docm': 'ms-word',
'doc': 'ms-word'
};
if (!linkContainer) {
linkContainer = new Ext.Element(document.createElement('a'));
linkContainer.id = linkId;
linkContainer.setStyle({
width: '0px',
height: '0px',
position: 'absolute',
overflow: 'hidden',
top: '-1000px',
left: '-1000px'
});
Ext.getBody().appendChild(linkContainer);
}
linkContainer.dom.href = extensions[extension] + ':' + action + '|u|' + webDAVURL;
linkContainer.dom.click();
}
}
}
//onFailure handler example
function davFailure(args) {
alert('Error:' + args);
}
function activeX_getProgID(href) {
var ext = href.substring(href.lastIndexOf('.') + 1);
switch (ext) {
case "ppt":
case "pptx":
case "ppsx":
case "pot":
case "potx":
case "pptm":
return "PowerPoint.Show";
case "doc":
case "docx":
case "dot":
case "dotx":
case "dotm":
case "docm":
case "rtf": // Will it work?
return "Word.Document";
case "xls":
case "xlt":
case "xlsx":
case "xlst":
case "xlsm":
return "Excel.Sheet";
default:
return ''
}
}