Overview
To improve security, you hope to restrict some projects from being accessed through IP addresses or prohibit some projects from being accessed through certain high-risk APIs.
This document lists solutions in three scenarios.
Note:Solution 1: Restrict any user from connecting to the projects through related APIs. (You can disable the channel API for remote design, single sign-on/login/cross/domain API, and old engine/view/ReportServer API).
Solution 2: Restrict the projects from being connected via remote design (channel API) through IP addresses inside the blacklist/outside the whitelist.
Solution 3: Restrict the projects from being connected through IP addresses inside the blacklist/outside the whitelist in any way, including but not limited to project connection via remote design, template viewing after platform login, and template viewing via single sign-on.
Solution 1: Disabling APIs (Remote Design API/Single Sign-on API/Old Engine API)
Scenario Description
| Application Scenario | Procedure |
|---|---|
Security Level | ★★★★☆ |
Scenario Description | Directly disable the channel API for remote design, single sign-on/login/cross/domain API, and old engine/view/ReportServer API. After the solution takes effect, no user can connect to the projects via remote design/single sign-on/old engine API, but users can still perform operations such as template viewing after logging in to the platform. You can disable APIs as required (no need to disable all). |
Version Limitation | If you want to use this solution, ensure that the project version meets the following requirements:
If the version requirements are not met, contact FanRuan technical support for assistance. For details about how to contact technical support, see Technical Support Channel Introduction. |
Solution
(1) Install the plugin.
Download the web firewall plugin. For details about how to install the plugin on the server, see Server Plugin Management.
| Product Version | JAR Package Limitation | Plugin Download |
|---|---|---|
FineReport 11.0 FineBI 6.0 FineBI 5.1.19 and later versions | Ensure the project JAR package is generated on or after 2023-02-21.
| fine-plugin-com.fr.plugin.web.application.firewall.v11-1.2.1.zip |
FineReport 10.0 FineBI 5.1.18.x FineBI 5.1.17 and earlier versions | Ensure that the project JAR package is generated on or after 2021-04-11.
|
(2) Install the configuration file.
Download and decompress url.zip to obtain the configuration file url.properties.
The file contains three types of APIs. If you only need to disable some APIs, you can delete other rules. (You are advised to disable all.)
Upload the configuration file url.properties to the /webapps/webroot/WEB-INF/config/security path of the project.
Note:
(3) Make the configuration take effect.
For FineReport 11.0/FineBI 6.0/FineBI 5.1.19 and later versions, do not need to restart the project after configuring the file. However, you need to log in to the decision-making system as the admin, disable the web firewall plugin under System Management > Plugin Management, and then enable the plugin for the configuration to take effect.
For FineReport 10.0/FineBI 5.1.18.x/FineBI 5.1.17 and earlier versions, disable or restart the FineReport project for the configuration to take effect after the configuration is completed.
After the plugin takes effect, disable the channel API for remote design, single sign-on/login/cross/domain API, and old engine/view/ReportServer API.
After the solution takes effect, no user can connect to the project via remote design/single sign-on/old engine API, but users can still perform operations such as template viewing after logging in to the platform.
Effectiveness Verification
Access API addresses using your browser. The verification addresses for the three APIs are as follows: (Use the IP and port number of your own project.)
http://IP address:Port number/webroot/decision/remote/design/channel
http://IP address:Port number/webroot/decision/login/cross/domain
http://IP address:Port number/webroot/decision/view/ReportServer
If the error code 403 is returned with the message "Access to xxx was denied. You don't have the user rights to view this page.", as shown in the following figure, the configuration has taken effect.
If the message "Sorry, you cannot view this page. Request method GET' not supported" is displayed, the configuration does not take effect. Check the operation steps.
Solution 2: Restricting the IP Address of Remote Design (channel API)
Scenario Description
| Application Scenario | Procedure |
|---|---|
Security Level | ★★★★☆ |
Scenario Description | Configure the whitelist for remote design. The project can be connected via remote design only through the IP addresses/network segments in the whitelist. The project cannot be connected via remote design (channel API) through IP addresses outside the whitelist, but users can still perform operations such as template viewing after logging in to the platform. |
Version Limitation | If you want to use this solution, ensure that the project version meets the following requirements:
If the version requirements are not met, contact FanRuan technical support for assistance. For details about how to contact technical support, see Technical Support Channel Introduction. |
Configuration Procedure
The configuration steps may vary according to versions. Select configuration steps according to your own situation.
FR 11.0/BI 6.0/BI 5.1.19+
Perform configuration by modifying the fields in the FINE_CONF_ENTITY table in the FineDB configuration database. For details, see FINE_CONF_ENTITY Table Modification Through Data Entry.
Query and modify the following configuration items in the FINE_CONF_ENTITY table. If any of the following configuration items does not exist, add a record and enter the parameter and corresponding parameter value.
After the modification is successful, disable or restart the FineReport project. After the restart is successful, the project cannot be connected via remote design (channel API) through IP addresses outside the whitelist.
| Parameter Name | Parameter Function | Recommended Parameter Value |
|---|---|---|
RemoteConnectionConfig.enableWhitelistVerify | Function: The channel API deserialization vulnerability may pose threats to remote design. You can configure restriction on access by IP address to prevent malicious input. true: Perform IP whitelist verification for the remote design connection API. Note: After this parameter is enabled, the project cannot be connected via remote design through IP addresses outside the whitelist. | true |
RemoteConnectionConfig.ipWhiteList | Prerequisite: The above-mentioned whitelist verification function has been enabled. Function: You can configure the whitelist content. The project can be connected successfully through IP addresses and network segments within the whitelist and no corresponding function is affected. | The value is a network segment in array format. Format: ["item1","item2"] Example: ["119.0.0.1", "192.168.1.1-192.168.1.255", "119.0.0.1/16"] |
FR 10.0/BI 5.1.18.x/BI 5.1.17-
You can use a proxy server or firewall to restrict the project from being accessed by the channel API. After the restriction, the report can be designed remotely only through trusted IP addresses, without affecting viewing.
For example, the NGINX configuration is as follows, where allow is set to the IP address or network segment allowed for access.
server {
listen 443;
server_name your_domain; #IP address or domain name
location ~ .*\/channel {
allow XX.XX.XX.XX;
deny all;
}
}
Effectiveness Verification
After you use a device with an IP address outside the whitelist to open the designer and try to connect to the project for remote design, the error message "An unknown error occurred during remote design connection." pops up, and "com.fr.workspace.engine.exception.RemoteDesigenUnknownException:java.lang.reflect.UndeclaredThrowableException" (indicating successful configuration) is displayed for the stack.
Note:
Solution 3: Restricting FanRuan Systems from Being Accessed by IP Address/Network Segment
Scenario Description
| Application Scenario | Procedure |
|---|---|
Security Level | ★★★★★ |
Scenario Description | You can set the IP address whitelist and blacklist for project access. The project cannot be connected through disallowed IP addresses in any way, including but not limited to project connection via remote design, template viewing after platform login, and template viewing via single sign-on.
|
Version Limitation | If you want to use this solution, ensure that the project version meets the following requirements:
If the version requirements are not met, contact FanRuan technical support for assistance. For details about how to contact technical support, see Technical Support Channel Introduction. |
Configuration Procedure
(1) Install the plugin.
Download the web firewall plugin. For details about how to install the plugin on the server, see Server Plugin Management.
| Product Version | JAR Package Limitation | Plugin Download |
|---|---|---|
FineReport 11.0 FineBI 6.0 FineBI 5.1.19 and later versions | Ensure that the project JAR package is generated on or after 2023-02-21.
| fine-plugin-com.fr.plugin.web.application.firewall.v11-1.2.1.zip |
FineReport 10.0 FineBI 5.1.18.x FineBI 5.1.17 and earlier versions | Ensure that the project JAR package is generated on or after 2021-04-11.
|
(2) Upload the configuration file.
Download and decompress ip.zip to obtain the configuration file ip.properties. Open the file with a text editor and set the IP address whitelist and blacklist.
Upload the modified configuration file ip.properties to the /webapps/webroot/WEB-INF/config/security path of the project.
Note:
| Description | |
|---|---|
Configuration Description | You can configure the whitelist and blacklist (represented by ~).
IP addresses and network segments are supported and can be written as follows:
|
Interception Logic |
|
(3) Make the configuration take effect.
For FineReport 11.0/FineBI 6.0/FineBI 5.1.19 and later versions, do not need to restart the project after configuring the file. However, you need to log in to the decision-making system as the admin, disable the web firewall plugin under System Management > Plugin Management, and then enable the plugin for the configuration to take effect.
For FineReport 10.0/FineBI 5.1.18.x/FineBI 5.1.17 and earlier versions, disable or restart the FineReport project for the configuration to take effect after the configuration is completed.
Effectiveness Verification
When you use a device with a disallowed IP address to access the project, the message "Access to xxx was denied. You don't have the user rights to view this page." will be displayed, as shown in the following figure.
Note:
Previous:Common Issues for SSO
