WebFOCUS Infrastructure and Security

The following are release considerations and product changes for WebFOCUS security:

• Cross-Site Request Forgery (CSRF) tokens help remediate CSRF attacks that attempt to persuade an end user to execute unwanted actions on a web application in which they are currently authenticated. In order to include a CSRF token within -HTMLFORM Dialogue Manager Procedures and the creation of HTML reports, an administrator must assign the IBI_CSRF_Token_Name and IBI_CSRF_Token_Value variables to the site.wfs file by typing them in the Custom Settings page and saving the updates. Individual report requests must also include references to these variables in an input tag within the -HTMLFORM BEGIN/END commands of -HTMLFORM Dialogue Manager Procedures.
• To accommodate the increased functionality of the Administration Console in WebFOCUS Release 8.2, the single-tab Administration Console was expanded to four tabs: Configuration, Security, ReportCaster, and Diagnostics. All settings and features were distributed to these four tabs based on their relevance to the activity identified by the tab name. In addition, an expanded range of features was assigned to the Security tab to enable administrators to configure all security-related settings within the Administration Console.
• Release 8.2 Version 02 displays a new Home Page that was developed for this version, by default. You can change this default behavior and direct WebFOCUS to open the Legacy Home Page that was developed for Release 8.2 Version 01 or a Custom Welcome Page instead. To do so, update the value assigned to the Redirect /ibi_apps to setting, located on the BI Portal page of the Administration Console Configuration tab, by selecting the option for either page. In addition, the Default Welcome Page setting that appeared on the BI Portal page of the Administration Console Configuration tab in WebFOCUS Release 8.2 Version 01 now appears in the /ibi_apps field that is located underneath the Custom Welcome Page option of the new Redirect /ibi_apps to setting.
• The default version of regular expressions used in Access Control Templates can be enhanced to include characters from the following Client Code Pages that use extended character sets:
  • 1252 - Western European (includes all single byte characters)
  • 942 - Japanese (JA)
  • 949 - Korean (KO)
  • 946 - Simplified Chinese (ZH)
  • 10948 - Traditional Chinese (TW)

  If you use a Client Code Page that includes an extended character set, replace the expression \w+ with the expression that identifies the full range of extended characters included in your Client Code page. If you do not make this adjustment, groups whose names use these extended characters will be excluded from the access control template. For more information, see the Access Control Template Regular Expressions and Group ID Patterns topic in the Security and Administration manual.

• As of Release 8.2 Version 02, WebFOCUS discontinued support for the OpenID pre-authentication method, and replaced it with support for the newer version of this method, OpenID Connect. As a result of this change, we recommend that all customers who use OpenID pre-authentication replace it with OpenID Connect or another method of secure pre-authentication.
• In WebFOCUS Release 8.2 Version 02, the default value assigned to the session identifier setting changed from JSESSIONID to WF-JSESSIONID. This default value can be replaced by a customized value, if necessary. To do so, open the web.xml file, located at:

  drive:\ibi\WebFOCUS82\webapps\webfocus\WEB-INF\

  In the session-config section, type the new value in the name attribute of the cookie-config tag.

• In WebFOCUS Release 8.2, Roles in the Security Center dialog box were updated as follows:

  DomainDeveloper. Added the Portal Page Designer privilege (opPageDesigner) and the Create Portal (opCreatePortal) privilege to the Application Development privilege category. The Create Portal privilege applies only to new portals that are created under a domain in Release 8.2.

  DomainGroupAdmin. Removed the Create Portal privilege (opCreatePortal) from the Application Development privilege category.

  These changes:

  • Move the privilege to create portals within a domain from Group Administrators to Developers.
  • Make the privilege to design portal pages within a domain available to Developers.