StartCISPage servlet:
Considering the following URL to access Natural for AJAX…
We could insert an script code as parameter to PAGEURL (which could be executed at the user side and, considering a malicious code, it could be a harm) as follows…
QUESTION: is there any hint to avoid this?
 “index.html” and “conf_index.jsp”
• From these modules we can change important files which Natural for AJAX can use as base of its execution (e.g., “sessions.xml” which is generated/updated from “conf_index.jsp”)…
• It seems that we have no procedure for authentication/authorization that can guarantee the security of access to these modules…
QUESTION: how could we improve the security in this case?
Depending on what Application Server you are running NJX on you will find
various options for securing the environment, there are no ways of protecting
against what you described within NJX itself.
Thank you very much for your information. It is a pity that we don’t have more resources from the Natural for AJAX to forward these questions, which I consider very important. I’ll try something at the Application Server side (WebSphere).
open an incident with Software AG support response guaranteed
I guess the lack of responses to your question here is that usually no such security
measures are taken when NJX applications are deployed in an intranet environment,
users just get their canned start URL, the browser command line is disabled etc.
(Q1): Please check http://techcommunity.softwareag.com/ecosystem/documentation/natural/njx825/webio/clientcfg-servlet.htm#clientcfg-servlet for information on how to hide the servlet parameters from end users. This procedure is explicitly recommended there for security reasons.
(Q2): Please check http://techcommunity.softwareag.com/ecosystem/documentation/natural/njx825/webio/clientcfg-security-container.htm#clientcfg-security-constraints on how to restrict the access to certain URLs with standard J2EE security means.
Best regards, Thomas
Perfect. It seems that you solved both questions. Thank you!