Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
ServletExec Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 243
Product ServletExec
Category ArcIMS Users, Security
Question How can I "lock-down" ServletExec AS to ensure that it is not accessed or administered by unauthorized means or users ?
Answer Here is listing of some possible ways to do this:
  1. Password protect access to the SE Admin pages.
    This way, anonymous users won't be able to alter your ServletExec settings. Beginning with SE 5.0 this is setup by default during the SE installation.
  2. Use the "-allow" option in the ServletExec AS startup script.
    That option can be used to specify the address(es) of the web server(s) that are allowed to communicate with the ServletExec/AS instance. By default, an SE AS instance will only accept communication from a webserver that is running on the same machine as the instance. See the SE Installation Guide for more information about the "-allow" option.
  3. Remove the servletexec web application.
    Note: Removing this web application prevents access to the ServleExec Admin UI from any machine.
    Therefore, after removing this web application, anytime you wish make SE configuration changes you will be required to edit the ServletExec configuration files by hand with a text editor and then cycle the SE AS instance. In other words, you'll be making your life more difficult so think carefully before you do this. Also note that the servletexec web application is an auto-deployed webapp. This means that you'll have to do an extra step in order to totally remove/undeploy it (see SE FAQ #242 for more info.).
  4. If you have your own specific webapp to which you are trying to control access, then you should consider utilizing some of the Access Control mechanisms that are available for use in any webapp. These are mechanisms that are defined in the Servlet Specification and they are implemented by ServletExec. These mechanisms are discussed in the Servlet Specifications & in the ServletExec 5.x (and higher) User Guide. For example in the SE 5.0 User Guide you should take a look at the following sections:
    • 3.5.6 entitled "Setting Up Roles, Users, and Role Mapping"
    • 3.5.7.4 entitled "Security"

    In addition, SE comes with an exampleWebApp which offers several working examples of many things, some of which deal with things such Access Control mechanisms.
  5. Setup a firewall environment using 1 or more firewalls to control the traffic that your SE instance will receive.
    This technique is an advanced technique and is discussed in great detail here



   
company media information terms of use privacy policy contact us