54.2 Configuring the WebAccess Application

The WebAccess Application, which resides on the Web server, provides the WebAccess user interface. As users perform actions in the WebAccess client, the WebAccess Application passes information between the Web browser and the WebAccess Agent.

Figure 54-4 WebAccess Application

During installation, the WebAccess Application is set up with a default configuration. However, you can use the information in the following sections to optimize the WebAccess Application configuration:

54.2.1 Modifying the WebAccess Application Environment Settings

Using ConsoleOne, you can modify the WebAccess Application’s environment settings. The environment settings determine such things as the location where ConsoleOne stores the WebAccess Application’s configuration file and how long the WebAccess Application maintains an open session with an inactive user.

To modify the environment settings:

  1. In ConsoleOne, right-click the WebAccess Application object (GroupWiseWebAccess), then click Properties.

    NOTE:The WebAccess Application object is not available in the GroupWise View. To locate the WebAccess Application object, you must use the Console View.

  2. Click Applications > Environment to display the Environment page.

    Environment property page
  3. Modify any of the following fields:

    Configuration File: The WebAccess Application does not have access to Novell eDirectory or the GroupWise domain database. Therefore, ConsoleOne writes the application’s configuration information to the file specified in this field. By default, this is the webacc.cfg file located in the WebAccess Application’s home directory, which varies by platform.

    In general, you should avoid changing the location of the file. If you do, you need to make sure to modify the webacc.cfg path in the Java servlet engine’s property file (for example, web.xml for Tomcat). If you do not, the WebAccess Application continues to look for its configuration information in the old location.

    File Upload Path: When a user attaches a file to an item, the file is uploaded to the directory displayed in this field. By uploading the file before the item is sent, less time is required to send the item when the user clicks the Send button. After the user sends the item (or cancels it), the WebAccess Application deletes the file from the directory.

    Specify the upload directory you want to use. The default path is to the temp directory, located in the WebAccess Application’s home directory, which varies by platform.

    NetWare:

    sys:\Novell\GroupWise\WebAccess on the Web server

    Linux:

    /var/opt/novell/groupwise/webaccess

    Windows:

    c:\Novell\GroupWise\WebAccess on the Web server

    Logout URL: By default, users who log out of GroupWise WebAccess are returned to the login page. If desired, you can enter the URL for a different page.

    The logout URL can be defined in this location and two additional locations. These locations are listed below, in the order that the WebAccess Application checks them.

    • Trusted server logout URL (configured on the Security page)

    • Template-specific logout URL (configured on the Templates page)

    • General logout URL (configured on the Environment page)

    For example, you define a general logout URL (WebAccess Application object > Environment) and a Standard HTML template logout URL (WebAccess Application object > Templates). You are not using trusted servers, so you do not set any trusted server logout URLs. When a Standard HTML template user logs out of WebAccess, the Standard HTML template logout URL is used. However, when a Basic HTML template user logs out, the general logout URL is used.

    If none of these locations include a logout URL, the WebAccess Application defaults to the standard login page.

  4. Click OK to save the changes.

54.2.2 Adding or Removing Service Providers

The WebAccess Application receives requests from users and then passes the requests to the appropriate service provider. The service provider fills the requests and returns the required information to the WebAccess Application. The WebAccess Application merges the information into the appropriate template and displays it to the user.

To function properly, the WebAccess Application must know which service providers are available. WebAccess includes three service providers:

  • GroupWise service provider (GroupWiseProvider object): Communicates with the WebAccess Agent to fill GroupWise requests.

  • Document service provider (GroupWiseDocumentProvider object): Communicates with the WebAccess Agent to fill WebPublisher requests.

  • LDAP service provider (LDAPProvider object): Communicates with LDAP servers to fill LDAP requests, such as LDAP directory searches initiated through the GroupWise Address Book.

The service providers are installed and configured at the same time as the WebAccess Application. You can disable a service by removing the corresponding provider.

If you create new service providers to expose additional services through GroupWise WebAccess, you must define those service providers so that the WebAccess Application knows about them.

To define service providers:

  1. In ConsoleOne, right-click the WebAccess Application object, then click Properties.

  2. Click Application > Services to display the Services page.

    The Provider List displays all service providers that the WebAccess Application is configured to use.

    WebAccess Application Provider List
  3. Choose from the following options:

    Add: To add a service provider to the list, click Add, browse for and select the service provider’s object, then click OK.

    Edit: To edit a service provider’s information, select the provider in the list, then click Edit. For information about the modifications you can make, see Section 54.4, Configuring the GroupWise Service Provider and Section 54.5, Configuring the LDAP Service Provider.

    Delete: To remove a service provider from the list, select the provider, then click Delete.

  4. Click OK to save the changes.

54.2.3 Modifying WebAccess Application Template Settings

When the WebAccess Application receives information from a service provider, it merges the information into the appropriate WebAccess template before displaying the information to the user. Using ConsoleOne, you can modify the WebAccess Application’s template settings. The template settings determine such things as the location of the templates, the maximum amount of server memory to use for caching the templates, and the default template language.

Configuring WebAccess Application Templates

  1. In ConsoleOne, right-click the WebAccess Application object, then click Properties.

  2. Click Application > Templates to display the Templates page.

    Templates property page
  3. Modify any of the following fields:

    Template Path: Select the location of the template base directory. The template base directory contains the subdirectories (simple, frames, hdml, and wml) for each of the templates provided with GroupWise WebAccess. If you create your own templates, you need to place the templates in a new subdirectory in the template base directory. The default template path is based on the Tomcat installation location and varies by platform:

    Java Package: Specify the Java package that contains the template resources used by the WebAccess Application. The default package is templates.webacc.

    Images URL: Specify the URL for the GroupWise WebAccess image files. These images are merged into the templates along with the GroupWise information. This URL must be relative to the tomcat_directory/webapps directory. The default relative URL is:

    /gw/webaccess/build_date/images
    

    Help URL: Specify the URL for the GroupWise WebAccess Help files. This URL must be relative to the tomcat_directory/webapps directory. The default relative URL is:

    /gw/com/novell/webaccess/help/language_code
    

    Enable Template Caching: To speed up access to the template files, the WebAccess Application can cache the files to the server’s memory. Select this option to turn on template caching.

    Cache Size: Select the maximum amount of memory, in kilobytes, that you want to use when caching the templates. The default cache size, 2500 KB, is sufficient to cache all templates shipped with GroupWise WebAccess. If you modify or add templates, you can turn on Verbose logging (WebAccess Application object > Application > Log Settings) to view the size of the template files. Using this information, you can then change the cache size appropriately.

    Default Language: If you have more than one language installed, select the language to use when displaying the initial GroupWise WebAccess page. If users want the GroupWise WebAccess interface (templates) displayed in a different language, they can change it on the initial page.

    Define User Interfaces: GroupWise WebAccess supports Web browsers on many different devices (for example, computers and wireless telephones). Each device supports specific content types such as HTML, HDML, and WML. When returning information to a device’s Web browser, the WebAccess Application must merge the information into a set of templates to create an interface that supports the content type required by the Web browser.

    GroupWise WebAccess ships with five predefined user interfaces (Standard HTML, Basic HTML, Handheld Device Markup Language, Wireless Markup Language, and Web Clipping). These interfaces support Web browsers that require HTML, HDML, and WML content types. Click the User Interface button to view, add, modify, or delete user interfaces. For more information, see Defining WebAccess User Interfaces below.

  4. Click OK to save the changes.

Defining WebAccess User Interfaces

  1. From the WebAccess Application object’s Templates page, click Define User Interfaces to display the Define User Interfaces dialog box.

    Define User Interfaces dialog box

    The dialog box includes three tabs:

    User Interfaces: The User Interfaces tab lets you add, modify, and remove user interfaces, as well as determine whether or not GroupWise data added to an interface should be cached on proxy servers. Each interface consists of template files that support a specific content type. For example, the predefined Standard HTML interface uses frame-based HTML templates, located in the frames directory, that support the text/html content type.

    Browser User Agents: The Browser User Agents tab lets you associate a user interface with a Web browser. The association is based on the browser’s User Agent information (signature, platform, version, and so forth). For example, if a browser’s User Agent information includes "Windows CE" (one of the predefined entries), the WebAccess Application uses the Basic HTML interface (no-frames interface).

    Browser Accept Types: The Browser Accept Types tab lets you associate a user interface with a Web browser. The association is based on the content type the browser accepts. For example, if a browser accepts text/html (one of the predefined entries), the WebAccess Application uses the Standard HTML interface (frames-based interface).

  2. To add, remove, or modify user interfaces, click the User Interfaces tab.

    Define User Interfaces dialog box with the User Interfaces tab displayed

    The User Interface list displays all available user interfaces. The list includes the following information:

    User Interface: This column displays the name assigned to the user interface (for example, Standard HTML or Wireless Markup Language).

    Template: This column displays the directory in which the template files are located. Only the directory name is shown. You can append this directory name to the template path shown on the Templates page to see the full template directory path.

    Content Type: This column displays the content type required by the templates (for example, text/html, text/x-hdml, or text/vnd.wap.wml).

    Logout URL: By default, when a user logs out, he or she is returned to the standard login page. When adding or editing the user interface, you can use the logout URL to define a different page. If you do so, this column displays the URL. This URL overrides the logout URL specified on the WebAccess Application object’s Environment page (see Section 54.2.1, Modifying the WebAccess Application Environment Settings). It is overridden by the logout URL specified for a trusted server on the WebAccess Application object’s Security page (see Section 54.2.4, Securing WebAccess Application Sessions).

    Choose from the following options to manage the user interfaces:

    Add: Click Add to add a user interface to the list.

    Edit: Select a user interface in the list, then click Edit to edit the interface’s name, template directory, content type, or proxy caching setting.

    Default: Select a user interface in the list, then click Default to make that interface the default interface. The WebAccess Application uses the default interface only if it can’t determine the appropriate interface based on the browser’s User Agent (WebAccess Application object > Browser User Agent) or the browser’s accepted content types (WebAccess Application object > Browser Accept Types).

    Delete: Select a user interface in the list, then click Delete to remove the interface. This only removes the entry from the list. It does not delete the template files from the template directory.

  3. To associate a user interface with a Web browser based on the browser’s User Agent information, click Browser User Agents.

    Define User Interfaces dialog box with the Browser User Agents tab displayed

    The Browser User Agents tab lets you associate a user interface with a Web browser. The association is based on the browser’s User Agent information (signature, platform, version, and so forth). For example, if a browser’s User Agent information includes Windows CE (one of the predefined entries), the WebAccess Application uses the Basic HTML interface (no-frames interface).

    If a browser’s User Agent information matches more than one entry in the list, the application uses the first entry. If the browser’s User Agent information does not match any entries in the list, the WebAccess Application tries to select an interface based on the content types the browser accepts (WebAccess Application object > Browser Accept Types). If no match is made based on the Accept Types information, the WebAccess Application uses the default user interface listed on the User Interfaces tab.

    Choose from the following options to manage the associations:

    Add: Click Add to add an entry to the list.

    Edit: Select an entry from the list, then click Edit to edit the entry’s information.

    Up: Select an entry from the list, then click Up to move it up in the list. If two entries match the information in a browser’s User Agent header, the WebAccess Application uses the interface associated with the first entry listed.

    Down: Select an entry from the list, then click Down to move it down in the list.

    Delete: Select an entry from the list, then click Delete to remove the entry.

  4. To associate a user interface with a Web browser based on the content type that the browser accepts, click Browser Accept Types.

    Define User Interfaces dialog box with the Browser Accept Type tab displayed

    The Browser Accept Types tab lets you associate a user interface with a Web browser. The association is based on the content type the browser accepts. For example, if a browser accepts text/html (one of the predefined entries), the WebAccess Application uses the Standard HTML interface (frames-based interface).

    Many browsers accept more than one content type (for example, both text/html and text/plain). If the list contains more than one acceptable content type, the WebAccess Application uses the browser’s preferred content type, which is the type that is listed first in the browser’s Accept Type header.

    If no interface can be determined based on the entries in the list, the WebAccess Application uses the default user interface listed on the User Interfaces tab.

    Choose from the following options to manage the associations:

    Add: Click Add to add an entry to the list.

    Edit: Select an entry from the list, then click Edit to edit the entry’s information.

    Delete: Select an entry from the list, then click Delete to remove the entry.

  5. Click OK to save your changes and return to the WebAccess Application object’s Templates page.

Using Your Own Customized Templates

Under certain very specific circumstances, it was possible for a user to view WebAccess template files from a Web browser without logging in to WebAccess. Although there is no confidential information located in any of the template files that are accessible in this manner, a line was added to the webacc.cfg file to prevent such access:

Templates.requireAuthentication=true

With this setting, unauthenticated users have no access to any WebAccess template files except for the Login page. If you have customized WebAccess templates for your own specialized use, this setting causes your templates to be inaccessible, even if GroupWise authentication was not previously required. You can turn off the authentication requirement by changing the line in the webacc.cfg file to:

Templates.requireAuthentication=false

54.2.4 Securing WebAccess Application Sessions

The WebAccess Application includes several settings to help you ensure that user information is secure. You can:

  • Specify a period of time after which inactive sessions are closed. The default is 20 minutes.

  • Secure sessions through the use of client IP binding or browser session cookies.

  • Disable information caching by proxy servers and Web browsers.

  • Enable GroupWise authentication through a trusted server.

To modify the security settings:

  1. In ConsoleOne, right-click the WebAccess Application object, then click Properties.

  2. Click Application > Security to display the Security page.

    Security property page
  3. Modify any of the following fields:

    Timeout for Inactive Sessions: When a user logs in, the WebAccess Application opens a session with the user. This option lets you specify a period of time after which the WebAccess Application closes a session that has become inactive. A session becomes inactive when the user does not perform any actions, such as opening a message, that generate calls to the WebAccess Application. Having a timeout period not only provides security for user e-mail but also ensures that GroupWise WebAccess runs efficiently.

    Select how long the WebAccess Application should wait before ending an inactive session. If the user attempts to perform an action after the session has timed out, he or she is prompted to log in again.

    Path for Inactive Sessions: Browse for and select the folder where you want the WebAccess Application to save information about inactive sessions. This allows the WebAccess Application to return the user to the exact state he or she was in when the session timed out. Inactive sessions are automatically deleted after a period of time.

    The default path is to the users directory, located in the WebAccess Application’s home directory, which varies by platform.

    Use Client IP in Securing Sessions: Select this option if you want the WebAccess Application to bind the client IP address to the session. For that session, the WebAccess Application accepts requests from the bound IP address only. If you are using a proxy server that masks the client IP address, you should use the Use Cookies option instead.

    User Interface/Use Cookies/Disable Caching: You can increase security by using session cookies and disabling caching of WebAccess information. Session cookies and caching are configurable on a per-user interface (template basis). For example, you could use session cookies and disable caching for the Standard HTML interface and not use session cookies or disable caching for the Wireless Markup Language interface.

    • Use Cookies: Select this option if you want the WebAccess Application to use a session cookie to secure the user’s session. The session cookie, which is created when the user opens the session, ties the session to the browser and ensures that the WebAccess Application accepts session requests from that browser only. The session cookie is held in memory and exists only as long as the user is logged in.

      By default, session cookies are enabled for all interfaces, with the exception of the Web Clippings interface, which does not support session cookies.

    • Disable Caching: This option affects both Web browser caching and proxy server caching. Because the WebAccess Application sends sensitive mailbox information (such as message text and passwords) to users, caching of files by Web browsers and proxy servers can pose an information security risk.

      If you select the Disable Caching option, the WebAccess Application includes a disable caching request in the header of each file that it sends. By default, Web browsers honor this request and does not cache files that include the request. Proxy servers, on the other hand, might or might not honor the request, depending on how they are configured. If the proxy server honors the request, the file is not cached; if it does not honor the request, the file is cached, regardless of this setting.

    Single Sign-On: The WebAccess Application supports authentication to GroupWise using Base64 authentication header credentials generated by a trusted server (for example, a Novell Access Manager Authentication Server). The authentication header generated by the trusted server must contain the username and password required to log the user into GroupWise. For this to occur, one of the following conditions must be met:

    • The regular GroupWise username and password must match the credentials passed from the trusted server.

      or

    • The LDAP authentication credentials used by each POA (if LDAP has been enabled) must match the credentials passed from the trusted server (Post Office object > GroupWise > Security).

    If the credentials passed from the trusted server match the credentials being used by the GroupWise system, then the GroupWise WebAccess login page is bypassed and the user has immediate access to the requested mailbox.

    To specify a trusted server whose authentication header credentials are accepted by the WebAccess Application, click Add to display the Add Trusted Server Information dialog box, then provide the server’s IP address or DNS hostname. For more information about the fields in the Add Trusted Server Information dialog box, click the dialog box’s Help button.

54.2.5 Controlling Availability of WebAccess Features

By default, WebAccess users can:

  • Spell check messages

  • Search LDAP directories

  • Change their GroupWise mailbox passwords

  • Use Document Management Services

  • Open attachments in native format

  • Open documents in native format

  • View attachments in HTML format

  • View documents in HTML format

All users who log in through a single Web server have the same feature access. You cannot configure individual user settings. However, if you have multiple Web servers, you can establish different settings for the Web servers by completing the following steps for each server’s WebAccess Application.

To configure the WebAccess Application’s user settings:

  1. In ConsoleOne, right-click the WebAccess Application object, then click Properties.

  2. Click Application > Settings to display the Settings page.

    Settings property page
  3. Configure the following settings:

    Spell Check Items: Enable this option if you want users to be able to spell check an item’s text before sending the item. Disable this option to remove all spell check features from the user interface.

    Search LDAP Directories: Enable this option if you have an LDAP server and you want users to be able to search any LDAP address books you have defined. Disable this option to remove all LDAP features from the user interface.

    Change Passwords Enable this option if you want users to be able to change their Mailbox passwords. Disable this option to remove all Password features from the user interface.

    Access Document Management: Enable this option if you want users to be able to use the Document Management features. Disable this option to remove all Document Management features from the user interface.

    Open Attachments in Native Format: By default, the Save As option enables users to save message attachments to their local drives and then open them in their native applications. You can turn on this option to enable the Open option. The Open option enables users to open message attachments directly in their native applications without first saving the files to the local drive.

    This option requires that 1) each user’s Web browser knows the correct application or plug-in to associate with the attachment, according to its file extension or MIME type, and 2) the application or plug-in is available to the user. Otherwise, the user are prompted to save the file to disk or specify the application to open it.

    This option and the View Attachments in HTML Format option can both be enabled at the same time. Doing so gives users both the Open option and the View option, which means they have the choice of opening an attachment in its native application or viewing it as HTML.

    Open Documents in Native Format: By default, the Save As option enables user to save library documents to their local drives and then open them in their native applications. You can turn on this option to enable the Open option. The Open option enables users to open documents directly in their native applications without first saving the files to the local drive.

    This option requires that 1) each user’s Web browser knows the correct application or plug-in to associate with the document, according to its file extension or MIME type, and 2) the application or plug-in is available to the user. Otherwise, the user is prompted to save the file to disk or specify the application to open it.

    This option and the View Documents in Native Format option can both be enabled at the same time. Doing so gives users both the Open option and the View option, which means they have the choice of opening a document in its native application or viewing it as HTML.

    • Include Only Files With These Extensions: If you want only certain file types to be have the Open option, enter the file types in the Include Only Files With These Extensions field. Include only the extension and separate each extension with a comma (for example, doc, xls, ppt). The Open option is not available for any file types not entered in this field. This setting applies when opening either library documents or attachments.

    View Attachments in HTML Format: Enable this option if you want users to be able to view any type of attachments in HTML format. Disable this option to require users to save an attachment to a local drive and view it in its native application. WebAccess uses Oracle Outside In HTML Export to convert files to HTML format. For a list of the supported file format conversions, see Oracle Outside In Technology Supported Formats.

    This option and the Open Attachments in Native Format option can both be enabled at the same time. Doing so gives users both the View option and the Open option, which means they have the choice of viewing an attachment as HTML or opening it in its native application.

    View Documents in HTML Format: Enable this option if you want users to be able to view library documents in HTML format. Disable this option to require users to save a document to a local drive and view it in its native application. WebAccess uses Oracle Outside In HTML Export to convert files to HTML format. For a list of the supported file format conversions, see Oracle Outside In Technology Supported Formats.

    This option and the Open Documents in Native Format option can both be enabled at the same time. Doing so gives users both the View option and the Open option, which means they have the choice of viewing a document as HTML or opening it in its native application.

    • Exclude Files With These Extensions: If you want to exclude certain file types from having the View option, specify the file types in the Exclude Files With These Extensions field. Include only the extension and separate each extension with a comma (for example, doc, xls, ppt). The View option is available for any file types not entered in this field. This setting applies when viewing either library documents or attachments.

    • Maximum Document View Size: Specify the maximum size file that can be viewed in HTML format. If a file exceeds the maximum size, it must be opened in native format (if allowed) rather than viewed in HTML format. The default maximum size is 1024 KB. This setting applies when viewing either library documents or attachments.

  4. Click OK.