We have updated Flexmonster Software License Agreement, effective as of September 30, 2024. Learn more about what’s changed.
All documentation
  • Introduction
  • Connecting to data source
    1. Supported data sources
    2. Connecting to other data sources
  • Browser compatibility
  • Documentation for older versions
  • Security and authorization guide

    This tutorial describes how to configure the data access security in Flexmonster Data Server used as a Windows/Unix service. To connect the Data Server to your data, refer to the Data sources guide. To install the Data Server as a service, see the Installing Flexmonster Data Server as a Windows/Unix service guide.

    Flexmonster Data Server supports different essential security configurations, such as built-in basic authorization and HTTPS.

    Built-in basic authorization

    By default, Flexmonster Data Server is accessible to anyone who can reach its host. Using the built-in basic authorization, you can restrict access to Flexmonster Data Server.

    Step 1. Create a user

    Open Flexmonster Admin Panel and go to Security > Add New User. Define a username and password, then select Create to add the user.

    Note Once a user is created, you cannot change the username.

    Learn more about managing the users in our guide on the Admin Panel.

    Step 2. Enable authorization

    Go to the Settings tab. Turn on the basic authorization using the Basic auth toggle switch:

    Step 3. Configure CORS

    Basic Authorization requires certain origins to be defined in the Access-Control-Allow-Origin header. Origin is a domain that sends requests to Flexmonster Data Server (e.g., http://localhost:8080 or https://example.com).

    To specify origins that can send requests to the Data Server, fill in the Allow origin input field on the Settings tab.

    To specify several origins, separate them with a comma:

    Step 4. Configure credentials on the client side

    In this step, credentials are configured in Flexmonster Pivot. There are two ways to configure credentials:

    1. Use the withCredentials property:
      dataSource: {
          type: "api",
          url: "http://localhost:9500",
          index: "data",
      withCredentials: true
      }
      In this case, you need to enter your login and password when first connecting to Flexmonster Data Server.
    2. Add a request header with basic authentication. The header should be added in the following way:
      dataSource: {
          type: "api",
          url: "http://localhost:9500",
          index: "data",
      requestHeaders: {
      "Authorization": "Basic QWxhZGRpbjpPcGVuU2VzYW1l"
      }
      }

      Note The header should be specified in the standard for basic authentication format.
      In this case, the authorization will be automatic, and the browser will not ask for the login and password.

    Configure the HTTPS protocol

    All data sent by HTTP is not encrypted and can be inspected. To make the Data Server more secure, we added an option to enable the HTTPS protocol. Follow the steps below to configure a secure HTTPS connection.

    Step 1. Enable the HTTPS protocol

    Open Flexmonster Admin Panel and go to the Settings tab. Turn on HTTPS using the HTTPS toggle switch:

    Step 2. Add a certificate

    Add an SSL/TLS certificate. There are three ways to add a certificate:

    • As a .pfx file.
    • As a .pem file.
    • By specifying its subject and store.

    PFX Certificate

    To add a certificate as a .pfx file, do the following:

    1. On the Settings tab, set the Certificate type configuration to PFX Certificate.
    2. Specify the Path to PFX certificate. Click the folder icon to choose the certificate using a file manager.
    3. optional Specify the Certificate password required to access the certificate. If the certificate does not require a password, skip this step.

    Note Adding the certificate is possible only when HTTPS is enabled.

    Your configuration should look similar to the following:

    PEM Certificate

    To add a certificate as a .pem file, do the following:

    1. On the Settings tab, set the Certificate type configuration to PEM Certificate.
    2. Specify the Path to PEM certificate. Click the folder icon to choose the certificate using a file manager.
    3. Specify the Path to certificate key that is required to access the certificate. Click the folder icon to choose a file with the key using a file manager.

    Note Adding the certificate is possible only when HTTPS is enabled.

    Your configuration should look similar to the following:

    Subject and store

    To add a certificate using its subject and store, do the following:

    1. On the Settings tab, set the Certificate type configuration to Subject-Store.
    2. Specify the certificate subject name and the certificate store from which to load the certificate.
    3. optional By default, the location of the certificate store is Current User. If the needed location is Local Machine, select this option in the Location configuration.
    4. optional To allow using invalid certificates, such as self-signed certificates, enable the Allow invalid toggle button.

    Note Adding the certificate is possible only when HTTPS is enabled.

    Your configuration should look similar to the following:

    Step 3. (optional) Configure the protocols

    The Protocols configuration establishes the HTTP protocols enabled on a connection endpoint or for the server. The Protocols configuration can have one of the following values: HTTP1, HTTP2, and HTTP1 and HTTP2. For example:

    Reverse proxy authorization

    If you need to use your own authorization mechanism, you can restrict public access to Flexmonster Data Server and enable access to it through a reverse proxy. This approach requires implementing the proxy, which is responsible for data access control. The proxy will decide which requests should be accepted and passed to the Data Server, and which requests should be declined.

    Note The proxy has to implement the custom data source API to handle requests from Flexmonster Pivot. Then the proxy will be able to redirect Flexmonster Pivot’s requests to the Data Server. To see the full list of requests sent by Flexmonster Pivot, refer to our documentation.

    Custom authorization and role-based permissions

    Role-based access is supported when using Flexmonster Data Server as a DLLFlexmonster.DataServer.Core.dll allows performing server-side filtering, so it becomes possible to show different subsets of the data to different user groups.

    To demonstrate the usage of server-side filtering for role-based permissions, we created an ASP.NET application with a custom server using Flexmonster.DataServer.Core.dll.  The GitHub repository contains a solution file DemoDataServerCore.sln, so the sample can be opened and launched via Visual Studio.

    To start the sample application from the console, run the following commands:

    cd DemoDataServerCore
    dotnet restore
    dotnet run

    To see the result, open http://localhost:5000/ in the browser.

    On the page, there is the pivot table and a dropdown menu. Select a role from the menu to see how it affects the data shown in Flexmonster.

    To see how the server-side filtering is implemented in the sample server, refer to the FlexmonsterAPIController.cs file.

    To learn more about the server filter, see the Implementing the server filter guide.

    How to store sensitive configurations more securely

    When using the Data Server as a service, connection strings and other configurations are stored in the flexmonster-data-server/flexmonster-config.json file. If you want to store sensitive configurations more securely, use the Data Server as a console application and set the configurations dynamically as command-line arguments or environment variables. 

    Note Setting configurations dynamically is not available for the Data Server as a service.

    What’s next?

    You may be interested in the following articles: