Security
Fundamental Principle
Server-side zero-trust - The client is never trustworthy. Every action is re-verified against the WebContent structure stored in the database.
Permissions are declarative (configured in the Dev Panel), not hard-coded. The developer has nothing to code for basic security.
Security Pipeline (5 Steps)
Every web request goes through this automatic pipeline:
HTTP Request
|
v
1. HTTPS enforced (cert.pem = HTTPS redirect)
|
v
2. License + Session (Component + session verification)
|
v
3. URL Resolution (Domain > Page > Parameters)
|
v
4. Host database hook (BSPH_WEB_ON_CONNECTION)
|
v
5. Security check (Rights, pages, events, POST)
|
v
Business logic3 Levels of Rights
Access rights are declarative and nested:
| Level | Field | Protects | Behavior |
|---|---|---|---|
| 1 - Domain | WebDomain.userRightUuid | Entire site | Not logged in = login / Without permission = 403 |
| 2 - Page | WebDomainMenu.userRightUuid | A specific page | Same logic: login or 403 |
| 3 - Block/Field | blockProperties.userRightNeeded | A block or field | Block not sent in HTML + POST data rejected |
"Not authorized to see a button? The button HTML does not exist."
Protected blocks are never sent to the browser.
Action Validation
- Find the WebContent - Query on triggerObject.uuid.
- Verify the declared event - className + functionName whitelist.
- Validate the data - GG_CHECK_CONSTRAINT: rights, required, regex, types, captcha.
- Filter unexpected fields - Any undeclared POST field = removed.
Automatic Protections
| Attack | BWEB Protection |
|---|---|
| Unauthorized access | 3 levels of rights (domain / page / block) |
| Field injection | Only fields declared in WebContent pass through |
| Arbitrary function call | Server whitelist (className + functionName) |
| Man-in-the-middle | HTTPS enforced if cert.pem present |
| Bots / scraping | Malformed URLs = 404, captcha |
| Protected block visible | Block never sent to browser |
Comparison: Raw HTML vs BWEB
| Feature | Raw HTML | BWEB |
|---|---|---|
| Security | Code it yourself | Automatic |
| Maintenance | Source code | Visual Dev Panel |
| 4D Data | Custom REST | Native ORDA |
| CMS | Build it yourself | Included |
| Rights | Code it yourself | 3 declarative levels |
| Validation | Code it yourself | Regex, types, required |
| Events | Not secured | Server whitelist |