Skip to main content

Controlling Access to CSP Pages

Access to CSP pages is controlled partly by the security settings of the web application in which the CSP pages are executed. In addition, you can create a custom login page, you can make pages private and you can require permissions to use pages.

Creating a Custom CSP Login Page

To create a custom CSP login page:

  1. Create a subclass of the %CSP.LoginOpens in a new tab page.

  2. To customize your application’s behavior, override the subclass’s Draw methods, so that the page looks how you want. These include methods that modify the appearance of the login page and methods that modify the appearance of the security token page (if you are using two-factor authentication):

    Note that the DrawTitleOpens in a new tab and DrawSTTitleOpens in a new tab methods call the DrawTitleSectionOpens in a new tab method.

  3. Invoke the subclass as needed in your application.

Important:

When creating a custom login page, you must use a subclass of %CSP.LoginOpens in a new tab. Other approaches for creating login pages in CSP applications can cause problems of various kinds.

If you have written custom login pages that do not use a subclass of %CSP.Login and you apply any changes from InterSystems that upgrade or secure your instance, your login pages may fail without error messages. For example, users may attempt to log in with valid usernames and passwords, but their logins will fail without any visible cause. This situation may indicate that you need to change your custom login to use the required approach.

Making a Page Private

If you make a page private, when a user tries to display the page, the browser shows a message saying Forbidden.

To make a page private, so that it can be accessed only via links from other CSP pages, specify the PRIVATE class parameter as 1:

Parameter PRIVATE = 1;

By default, pages are public.

Requiring Permissions to Use the Page

Use the SECURITYRESOURCE class parameter to limit access to CSP pages. For example:

Parameter SECURITYRESOURCE = "%Development:USE";

The SECURITYRESOURCE parameter must be a comma-delimited list of system resources and the required permissions for each. You can specify an OR condition using the vertical bar (|) and an AND condition using a comma (,). A user must hold the specified permissions on all of the specified resources in order to view this page or invoke any of its server-side methods from the client.

An item in the list has the following format:

Resource[:Permission]

Resource is any of the resources defined on the server. Navigate to System Administration > Security > Resources for a list of resources.

Permission is one of USE, READ, or WRITE. Optional; default is USE.

For another example:

Parameter SECURITYRESOURCE = "R1,R2|R3,R3|R4" ;

This example means the user must have resource R1 AND one of (R2 OR R3) AND one of (R3 OR R4). If the user has R1,R3 they can run the page. If the user has R1,R4, they cannot run the page, as they do not meet the R2 OR R3 condition. The vertical bar (|) OR condition takes precedence over the comma (,) AND condition.

FeedbackOpens in a new tab