Flexmonster Software License Agreement (“Agreement”) has been significantly revised and is effective as of September 30, 2024.
The following modifications were made:
The modified version of Flexmonster Software License Agreement is available here.
Downloading, installing, and/or continuing to use Flexmonster Software after September 30, 2024, constitutes Licensee’s acceptance of the terms and conditions of the modified version of Flexmonster Software License Agreement. If Licensee does not agree to any of these terms and conditions, they must cease using Flexmonster Software and must not download, install, use, access, or continue to access Flexmonster Software. By continuing to use Flexmonster Software or renewing the license under License Model or Maintenance after the effective date of any modifications to Agreement, Licensee accepts and agrees to be bound by the terms and conditions of the modified Agreement.
This tutorial describes how to configure the data access security in Flexmonster Data Server used as a console application. For instruction on managing security in the Data Server installed as a Windows/Unix service, see this guide.
Flexmonster Data Server supports different essential security configurations, such as built-in basic authorization and HTTPS.
By default, Flexmonster Data Server is accessible to anyone who can reach its host. Using the built-in basic authorization, you can restrict access to Flexmonster Data Server.
The flexmonster-data-server.exe
file provides the setup-users
command, which allows creating new users and managing them. Run the following command in the console to create a new user:
flexmonster-data-server.exe setup-users add <username>
./flexmonster-data-server setup-users add <username>
Here, <username>
is the name of the created user.
Then you will be prompted to create and confirm the password for the user.
With the setup-users
command, it is possible to see all created users, change the password for a user, and delete a user. Run the following command in the console to learn more about users management:
flexmonster-data-server.exe setup-users --help
./flexmonster-data-server setup-users --help
In the flexmonster‑config.json
file, enable the authorization by setting the Enabled
property of the Authorization
object to true
:
"Security" : {
"Authorization": {
"Enabled": true
},
...
}
Basic Authorization requires certain origins to be defined in the Access-Control-Allow-Origin
header. Origin is a domain that sends requests to Flexmonster Data Server (e.g., http://localhost:8080
or https://example.com
).
To allow the origin to send requests to the Data Server, specify the AllowOrigin
property in the flexmonster-config.json
file:
"Security" : {
...
"CORS": {
"AllowOrigin": "http://localhost:8080"
}
}
Several origins must be defined as follows:
"AllowOrigin": "http://localhost:8080,https://example.com"
In this step, credentials are configured in Flexmonster Pivot. There are two ways to configure credentials:
withCredentials
property: dataSource: {In this case, you need to enter your login and password when first connecting to Flexmonster Data Server.
type: "api",
url: "http://localhost:9500",
index: "data",
withCredentials: true
}
dataSource: {
type: "api",
url: "http://localhost:9500",
index: "data",
requestHeaders: {
"Authorization": "Basic QWxhZGRpbjpPcGVuU2VzYW1l"
}
}
Note The header should be specified in the standard for basic authentication format.
In this case, the authorization will be automatic, and the browser will not ask for the login and password.
All data sent by HTTP is not encrypted and can be inspected. To make the Data Server more secure, we added an option to enable the HTTPS protocol. Follow the steps below to configure a secure HTTPS connection.
To enable the HTTPS protocol, set the Enabled
property of the HTTPS
object to true
in the flexmonster‑config.json
file:
"HTTPS": {
"Enabled" : true
}
Add an SSL/TLS certificate. The Data Server supports PFX certificates, PEM certificates, and certificates that can be added using their subject and store:
To add the PFX certificate, specify it as a PFXCertObject:
.pfx
certificate:
"HTTPS": { "Enabled": true, "Certificate": { "Path": "sampleCert.pfx", } }
"HTTPS": { "Enabled": true, "Certificate": { "Path": "sampleCert.pfx", "Password": "samplePassword" } }If the certificate does not require a password, either skip this step or set the
Password
to an empty string.To add the PEM certificate, specify it as a PEMCertObject:
.pem
certificate:
"HTTPS": { "Enabled": true, "Certificate": { "Path": "sampleCert.pem", } }
.pem
file that contains the private key for the certificate:
"HTTPS": { "Enabled": true, "Certificate": { "Path": "sampleCert.pem", "KeyPath": "sampleKey.pem" } }
To add the certificate using its subject and store, specify the certificate as a SubjectStoreObject:
Certificate
object, specify the certificate subject name and the certificate store from which to load the certificate:"HTTPS": {
"Enabled": true,
"Certificate": {
"Subject": "localhost",
"Store": "My"
}
}
"CurrentUser"
, since the default value of the location is "CurrentUser"
. Otherwise, set the Location
property to "LocalMachine"
:"HTTPS": {
"Enabled": true,
"Certificate": {
"Subject": "localhost",
"Store": "My",
"Location": "LocalMachine"
}
}
AllowInvalid
property to true
:"HTTPS": {
"Enabled": true,
"Certificate": {
"Subject": "localhost",
"Store": "My",
"Location": "LocalMachine",
"AllowInvalid": true
}
}
The Protocols
property establishes the HTTP protocols enabled on a connection endpoint or for the server. The Protocols
property can be one of the following values: "Http1"
, "Http2"
, and "Http1AndHttp2"
. For example:
"HTTPS": { "Enabled": true, "Certificate": { "Path": "sampleCert.pfx", "Password": "samplePassword" }, "Protocols": "Http2" }
The Strict-Transport-Security
(HSTS) response header tells browsers that the site only accepts a connection through the HTTPS protocol. This makes the site usage more secure.
Configure HSTS for Flexmonster Data Server either via the HSTS
property or via the Headers
property.
If HSTS is configured via the HSTS
property, it will be automatically added to all the Data Server's responses:
"Security" : { ... "HSTS": { "MaxAge": 31536000, "IncludeSubDomains": true } }
If HSTS is configured via the Headers
property, it will be returned only with a response to XHR:
"Security" : {
...
"Headers": {
"Strict-Transport-Security": "max-age=31536000; includeSubDomains"
}
}
Learn more about the directives of HSTS in the MDN documentation.
Restart the Data Server to apply the configurations. The HTTPS protocol will now be used instead of HTTP.
If you need to use your own authorization mechanism, you can restrict public access to Flexmonster Data Server and enable access to it through a reverse proxy. This approach requires implementing the proxy, which is responsible for data access control. The proxy will decide which requests should be accepted and passed to the Data Server, and which requests should be declined.
Note The proxy has to implement the custom data source API to handle requests from Flexmonster Pivot. Then the proxy will be able to redirect Flexmonster Pivot's requests to the Data Server. To see the full list of requests sent by Flexmonster Pivot, refer to our documentation.
Role-based access is supported when using Flexmonster Data Server as a DLL. Flexmonster.DataServer.Core.dll
allows performing server-side filtering, so it becomes possible to show different subsets of the data to different user groups.
To demonstrate the usage of server-side filtering for role-based permissions, we created an ASP.NET application with a custom server using Flexmonster.DataServer.Core.dll. The GitHub repository contains a solution file DemoDataServerCore.sln
, so the sample can be opened and launched via Visual Studio.
To start the sample application from the console, run the following commands:
cd DemoDataServerCore
dotnet restore
dotnet run
To see the result, open http://localhost:5000/
in the browser.
On the page, there is the pivot table and a dropdown menu. Select a role from the menu to see how it affects the data shown in Flexmonster.
To see how the server-side filtering is implemented in the sample server, refer to the FlexmonsterAPIController.cs file.
To learn more about the server filter, see the Implementing the server filter guide.
When using the Data Server as a console application, connection strings and other configurations are stored in the flexmonster-data-server/flexmonster-config.json file. If you want to store sensitive configurations more securely, set the configurations dynamically as command-line arguments or environment variables.
You may be interested in the following articles: