« previous next »
Pages: [1]

Author Topic: WebEA user authentication  (Read 5081 times)

Uffe

  • EA Practitioner
  • ***
  • Posts: 1859
  • Karma: +133/-14
  • Flutes: 1; Clarinets: 1; Saxes: 5 and counting
    • View Profile
WebEA user authentication
« on: February 17, 2018, 12:05:54 am »
Hi all,


I'm evaluating WebEA for a client. According to the WebEA Login help page, in addition to some "access code" I cannot see any point of, WebEA supports "standard Enterprise Architect model security." However, the page then states that login credentials can include
  • An access code, or
  • A user ID and password, or
  • Possibly all three
Ignoring the fact that "all three" makes no sense since you can't provide just a password with no user ID, what about Windows domain authentication? It's part of standard EA model security, but it's not in the list.

Can you authenticate WebEA users against a domain, or not?

What happens if you configure a project for windows authentication, and configure WebEA to prompt user ID and password?
Should users provide a blank password?
Is the password ignored?
Or will users be unable to log in?

What happens if you configure a project for windows authentication, and configure WebEA to prompt for an access code, or no authentication at all?
Are users correctly identified in the project (in Author fields etc)?


/Uffe
Logged
My theories are always correct, just apply them to the right reality.

Eamonn John Casey

  • EA User
  • **
  • Posts: 110
  • Karma: +0/-1
    • View Profile
Re: WebEA user authentication
« Reply #1 on: February 20, 2018, 02:34:53 am »
Uffe,
 I registered this With Supprt a few weeks back and the response is that Windows Arctive Directory login "does not work as intended".

I do not want to og to the bother of:
a. Creating a Enterprise Architect account for each Active Directory user (e.g. AD/Account --> EA/EA_Account).
b. Neither do I want to open the WebEA for "Public Access" (no user).

If you post it as a Bug, I will +1 it. Just simply have not the time right now.

Here is Support:
Quote
Re: Reference Number: 17127682 : WebEA: 400 Request does not contain User ID

Unfortunately there is not currently any workaround to login to a security enabled model in WebEA without entering an ID/Password. Currently you will need to use login_prompt = "true" and enter credentials to log in.

Please also note, WebEA does not support automatic login using Windows Authentication. When functioning as intended, the only way to login (to a Security enabled model) in WebEA without a User/Password prompt is to use...

From this it seems that Active Directory Security MUST be switched off....

Eamonn J.
Logged

Uffe

  • EA Practitioner
  • ***
  • Posts: 1859
  • Karma: +133/-14
  • Flutes: 1; Clarinets: 1; Saxes: 5 and counting
    • View Profile
Re: WebEA user authentication
« Reply #2 on: February 27, 2018, 12:00:10 am »
Quote from: Eamonn John Casey on February 20, 2018, 02:34:53 am
Here is Support:
Quote
Re: Reference Number: 17127682 : WebEA: 400 Request does not contain User ID

Unfortunately there is not currently any workaround to login to a security enabled model in WebEA without entering an ID/Password. Currently you will need to use login_prompt = "true" and enter credentials to log in.

Please also note, WebEA does not support automatic login using Windows Authentication. When functioning as intended, the only way to login (to a Security enabled model) in WebEA without a User/Password prompt is to use...

From this it seems that Active Directory Security MUST be switched off....

Well, not quite I think. It doesn't say that Windows authentication must be disabled in order to allow WebEA users access to a project, only that WebEA can't utilize Windows authentication. The way I read it, it should still be possible for regular EA users to use Windows authentication.

Thinking further, you could always set up the WebEA site to allow access only to members of certain AD groups. That's just a web server config. However, this would only ensure that the WebEA site is restricted to authenticated users: the WebEA service would still be wide open to anyone who can guess a password.

Possibly the service could be secured by a firewall rule requiring an authenticated connection, listing the permitted AD groups in the rule.

If that works, the problem of restricting access to properly authenticated users can be solved. But WebEA users would still need to identify themselves with user ID / password upon connecting.

Assuming I'm reading Sparx' response to you correctly, that only leaves the question of whether users connecting using the EA client and Windows authentication can coexist with users connecting via WebEA and user ID / password. Ie, two authentication schemes in one project.

And it imposes the restriction that users must be placed in one or the other group. They can't connect with the EA client one day and WebEA the next. (Unless the password hash that's stored in the project can be reversed. What the hell is that thing, anyway?)


It really would help if Sparx could provide some feedback on this. There are just too many ifs and buts and ginormous gaps in the documentation.


/Uffe
Logged
My theories are always correct, just apply them to the right reality.
Pages: [1]
« previous next »