OpenWGA 7.10 - OpenWGA Concepts and Features

One might want to argue, if the recommendation to HTTPS is really an "advanced security feature" as the trend for websites currently leads towards using HTTPS instead of HTTP all of the time. The performance tradeoff for doing encryption is generally acceptable and the increase in difficulty for an attacker trying to read the transmitted data is dramatic. So there is no really good technical reason not to use HTTPS.

Yet, setting it up needs some work and a trusted certificate costs a small fee. And if you really are not transporting any confidential data across open TCP ports from your OpenWGA site you may not see the need. So using HTTPS is up to you.

Setting up HTTPS is not directly an OpenWGA topic as this is done by the component that performs the HTTP transport. This is either your application server directly, the integrated Apache Tomcat Server in the case you are using OpenWGA Linux Packages or Installer, or - more likely - a HTTP Server that performs the transport handling for you. So we must redirect you to the documentation of the respective component for instructions on how to setup HTTPS.

However, once HTTPS is available you can configure OpenWGA to exclusively use it for certain operations:

Force HTTPS for Login pages

You can ensure that login pages for OpenWGA applications are accessed via HTTPS. In OpenWGA Admin Client, Menu "Configuration > Basic settings":

• Click "Edit"
• On the "Other settings" section click "Show/hide more options" to bring up additional options
• On the appearing select box find option "Force login on protocol" and add it by selecting it
• Set the value of the option to "https" and click "Save"

Note that this enforcement alone is only effective for requests that OpenWGA knows to be login pages, like a WebTML-generated login URL or when the user is redirected to the login page from an anonymously unaccessible site. It is not effective when calling WebTML pages via normal requests that happen to contain a custom-programmed login mechanism.

Enforce HTTPS usage for a web app

You can completely enforce the usage for HTTPS on a specific web app by enabling the "Secure application mode" on it. This is a publisher option that you can set per web app:

• Click "Edit" on your web app configuration
• On the "Publishing settings" section click "Show/hide more options" to bring up additional options
• On the appearing select box find option "Secure application mode" and add it by selecting it
• Enable the new option and click "Save". The app will be reconnected.

This not only enforces HTTPS access for your app. In case you are using personalisation mode "Automatic/cookie based" it also stores the personalisation id of users in a secure cookie that must be transmitted via HTTPS. Slight drawback on this: If you use domain-wide personalisation secured applications will use different user profiles than "non-secured" ones.