42 FileMaker Pro Web Publishing Security Guidelines
Passwords entered in the Web Security Database restrict user access to databases as a whole, but
do not restrict field level permissions on a user by user basis. Use access privileges to restrict field
level access for a given password (or group of passwords), and use the Web Security Database to
restrict field level access for an entire database.
Do not enable Multi User for the Web Security Database.
Do not enable the RDAC plug in on the machine that is web hosting your databases (including
the Web Security Database), unless you have also configured FileMaker Pro access privileges to
properly secure the direct access to your data using this access method. RDAC will enable all TCP/
IP users, including web users, to use ODBC to work with your database.
Strongly consider password protecting all databases in the Web Security Database (Web
Users_.fp5, Web Fields_.fp5, and Web Security.fp5) with the same password(s), as this will make
their use and administration much easier.
The Web Security Database gives you the option of entering a Database Password for each
database it protects. This password has to be a valid password created through FileMaker Pro access
privileges. If this password has access restrictions associated with it, they will be combined with
those created in the Web Security Database.
You can't add Web Security Database permissions for users if those permissions are not already
associated with the Database Password. To avoid privilege conflicts, it is better not to mix the two
FileMaker Pro security schemes. Therefore, for Database Password, enter the secured database s
master password. If no password is entered here (and the database has access privilege passwords),
the Database Password will default to the password that the database is currently open with on the
desktop, which may not be the master password.
Disable Web Companion file sharing for the Web Security Database.
The Web Companion performs a validation check of the Web Security Database the first time a
web request is received with the Web Security Database enabled. All of the Web Security
Database s own fields, and all expected value list entries for those fields, must be verified before
web serving can commence. If problems are detected, web users will be informed that Security is
disabled (and their requests will not be acted on). For this reason, it is strongly recommended that
fields and value lists inherent to the Web Security database itself (and its related databases) not be
altered in any way.
FileMaker Pro Unlimited only: When you run the FileMaker Web Server Connector (FMWSC)
on a Windows machine, you must use
basic authentication.
Basic authentication prompts your
users to enter both a user name and a password when they log on to the database. To use basic
authentication with the Web Security Database, you must create a record in the Web Security
Database for each user listing their user name and password, as described in Assigning Web
Security to your databases on page 32. The user names and passwords you list must match those
of valid accounts on the web server machine, except when all users is specified in the Web
Security Database.
Note
User names and passwords passed between the Web Companion and FMWSC are sent as
clear text.