Two security related questions

malm1 · May 7, 2006, 9:53pm

I noticed that any service invoked through a trigger runs under Administrator. This appears to be an easy way to elevate ones priviliges and is therefore a security risk. Is there a way to secure this?
I noticed that the wmPublic scheduling API allows any user (including the Default user) to create a schedule under any other userid including Administrator. Again this seems to be a very easy way to elevate ones priviliges. Is there a way to secure this?

Thanks

Manuel

tbond.5941 · May 9, 2006, 8:28pm

Manuel,

q1: triggers are coded to run specific services. How would a unprivileged user elevate their privilege?

q2: The ‘add###Task’ built-in services have the Internal ACL. This is not accessible to anyone other than Developers/Administrators.

If you do have other security concerns, you can always post them to security@webMethods.com

reamon · May 9, 2006, 10:16pm

q1: One possibility is an unprivileged user could publish the correct document to an unsecured Broker. But that’s a Broker deployment issue, not an IS security issue.

Manuel, are you using SSL for Broker?

Topic		Replies	Views
Setting up security and automailing threshold levels webMethods , webMethods-General , webMethods-Architecture , Integration-Server-and-ESB	10	1965	April 2, 2021
Broker Subscription trigger webMethods , Universal-Messaging-Broker , Integration-Server-and-ESB , Broker	4	1536	April 2, 2021
Monitoring the services webMethods , Integration-Server-and-ESB , Flow-and-Java-services	8	1019	April 2, 2021
'Run Trigger Service As User' property webMethods , Integration-Server-and-ESB , Flow-and-Java-services	6	2740	April 2, 2021
Need to Administer without Developer ACL webMethods , Integration-Server-and-ESB	2	3227	April 2, 2021

Two security related questions

Related topics