We could insert an script code as parameter to PAGEURL (which could be executed at the user side and, considering a malicious code, it could be a harm) as follows…
[2] “index.html” and “conf_index.jsp”
Considering that:
• From these modules we can change important files which Natural for AJAX can use as base of its execution (e.g., “sessions.xml” which is generated/updated from “conf_index.jsp”)…
• It seems that we have no procedure for authentication/authorization that can guarantee the security of access to these modules…
QUESTION: how could we improve the security in this case?
Depending on what Application Server you are running NJX on you will find
various options for securing the environment, there are no ways of protecting
against what you described within NJX itself.
Hi Wolfgang,
Thank you very much for your information. It is a pity that we don’t have more resources from the Natural for AJAX to forward these questions, which I consider very important. I’ll try something at the Application Server side (WebSphere).
Regards,
Orlando.
open an incident with Software AG support response guaranteed
I guess the lack of responses to your question here is that usually no such security
measures are taken when NJX applications are deployed in an intranet environment,
users just get their canned start URL, the browser command line is disabled etc.
