I've been playing with security on Cache Web Terminal and came up with one solution, but I've run into problems.
Can any one help please.

so. I went into the normal cache management portal, and added a new ROLE  that I called "webTerminalAccess" and then assigned it to just one user called "kevin"

I then edited WebTerminal.Engine and inserted the following lines after line 128

    d $System.Security.GetUserRecursedRoleSet(username,.accessRoles)
    if accessRoles'["webTerminalAccess" {
        return $LB("User " _ username _ " does NOT have access to the webTerminal ")
    }

when I test this patch for "kevin", it works correctly and allows me to log in.

If I log in with "Fred" (does not have "webTerminalAccess" role) it correctly shows me

but then I start to get problems. I have no ability to re-log in again with another username. it just repeatedly goes round and round repeating the same message.

I've allowed the session to timeout - same loop,
allowed timeout to run up to 24hrs - same loop.

If I comment out the new lines of code, then "fred" has access to the application.

do I have to do anything different to allow me to effectively reset the connection and log in again. - Its like I need to have the /logout followed by the /clear again.

no matter what I do, once the user is told "no access", I cannot log back on with ANY user (I'm stuck in "fred failed" mode)

Can any one help please

I've just installed the Caché Web Terminal now but I want to make it much more secure.  (v4.0.0-beta.12)

At the moment, any valid user in cache>System>Security Management>Users table can log in to the web terminal.

How can I restrict the user(s) to a specific group of users ?? (ie the programmers)

Is it possible to have a setting that says "kevin" is a valid user, "_SYSTEM" is not a valid user

Perhaps even ip based rules (or a combination of both)

kevin

the current implementation is CSP based and uses (user based) csp licences for the interaction. Because of the way csp retains that licence for a period after "finishing with the sesssion", it would be nice to be able to use a similar implementation that does make any use of the CSP licences

kevin

is it possible to adapt this RestAPI concept to work without using the CSP application ??

kevin

I think comments within the code counts a line, can you introduce a change that ignores comments/blank lines

will it be possible to "turn OFF" certain search areas ?

I don't have Ensemble installed, lets do away with those instantly - it must be easy to have a global switch "search only licenced options" and then automatically hide (totally - not even given the choices) anything that's not in your licence configuration

it depends what format your date-time is currently in but I just find it hard work to start messing about with $piece etc, I use the FOLLOWS command " ] "

USER>set date1=$zdth("01/02/2016 10:00")
 
USER>set date2=$zdth("01/02/2016 20:00")

USER>zwrite date1,date2
date1="63919,36000"
date2="63919,72000"
 
USER>write date1]date2
0
USER>write date2]date1
1
USER>

it works  in external format as well

USER>s date1="2016-02-01 10:00"
 
USER>s date2="2016-02-01 20:00"
 
USER>w date1]date2
0
USER>w date2]date1
1

kevin