7 Replies Latest reply on Mar 17, 2016 7:14 AM by Jeff Strauss

    Restrict access to login page

    Toni Juvani

      Hi,

       

      We have an application that contains embedded Tableau visualizations. User authentication and authorization is handled by our app and we are using Tableau trusted authentication to provide tickets to the clients for connecting to Tableau views.

       

      Preventing unauthorized access is very important for our application and therefore we are currently evaluating possible weaknesses and taking extra measures to secure the system (e.g. we are using two factor authentication for all users).

       

      One possible vulnerability is that the Tableau login page is available on the internet for anyone to try brute force attacks (even though our users currently do not have passwords set up for login). To remove this possible weakness we would like to restrict access to Tableau regular login only for admin users for performing maintenance operations.

       

      Is it somehow possible to prevent access to the login url (or to the url the login credentials are posted to) only to our local intranet?

       

      I tried adding a RemoteAddrFilter to Program Files\Tableau\Tableau Server\9.1\wgserver\z5\WEB-INF\web.xml but it doesn't seem to do the trick. Any suggestions on how to setup access restriction based on client ip and request url? Below you can see the configuration I experimented with:

       

      <filter>

        <filter-name>Remote Address Filter</filter-name>

        <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>

        <init-param>

        <param-name>allow</param-name>

        <param-value>10\.0\.\d+\.\d+</param-value> // Internal network is in 10.0.* address space

        </init-param>

        <init-param>

        <param-name>denyStatus</param-name>

        <param-value>404</param-value>

        </init-param>

      </filter>

      <filter-mapping>

        <filter-name>Remote Address Filter</filter-name>

      <url-pattern>/*</url-pattern> // For testing only. Set correct url

       

      Br,

      Toni

        • 1. Re: Restrict access to login page
          Derrick Austin

          Hey Toni,

           

          Why is access allowed outside of the internal network? Should it be? Ideally, this would live inside the network firewall, making it automatically not accessible to the outside world.

           

          Originally, I thought you might have it setup this way because you are using something like Amazon Web Services, but then I noticed the 10.* addresses - which would be internal only.

          (If it is on AWS, etc. - then maybe that is the reason why your 10.* filter is not working?)

           

          Assuming it isn't on AWS, have you considered putting some sort of firewall in front of it instead of just putting it out in the wild? Applications like an F5 support this type of filtering very easily.

           

          - Derrick

           

          • 2. Re: Restrict access to login page
            Jeff Strauss

            We have a similar scenario of external users coming in via a "client access portal" and then using trusted auth to render reports.  Our solution to lock-down appropriate content is to leave the Tableau server inside the MPN, and then use an external load balancer that routes traffic from the outside portal and applies filtering rules to specify which URI requests are allowed to be routed to Tableau.  It works quite well.

            1 of 1 people found this helpful
            • 3. Re: Restrict access to login page
              Toni Juvani

              Hi Derrick,

               

              The application is used over the internet by our customers globally. Therefore we need to have the embedded Tableau views available with trusted authentication but want to prevent public access to the regular Tableau login functionality.

               

              - Toni

              • 4. Re: Restrict access to login page
                Derrick Austin

                Oh, that makes sense. If you need it outside accessible, then I definitely agree with Jeffery's comment.

                Put something in front of it and proxy back.

                 

                There are a ton of appliances that are built for this.

                • 5. Re: Restrict access to login page
                  Toni Juvani

                  Hi Jeffrey,

                   

                  I was also thinking if an external load balancer would be able to filter requests based on URIs. We have the system running on AWS and are using an elastic load balancer, which unfortunately doesn't seem to support filtering based on URIs. I wouldn't want to add another device (perhaps a Linux box could do that) before the ELB so therefore was thinking about configuring Tomcat to filter the requests instead.

                   

                  - Toni

                  • 6. Re: Restrict access to login page
                    Toni Juvani

                    The thing is that adding Tomcat filter rules seems like something that could be done pretty easily, but it apparently the Tableau setup is somehow customized (?) and the configurations I tried do not take effect..

                    • 7. Re: Restrict access to login page
                      Jeff Strauss

                      Our load balancer is nginx running on Linux and it has full config options.  I plead ignorance toward anything else besides playing with the Tableau httpd.config (on dev) and not really having any success with it.