Securing DSPs Against Unauthorized Access
When you publish a DSP, you need to configure the server’s security mechanisms to protect the DSP from unauthorized access. DSPs have two levels of security protection you need to set.
Access to the DSP itself. Access to a DSP is controlled by an Access Control List (ACL). An ACL specifies which users have permission to retrieve the DSP. An ACL allows you to make access to the DSP as liberal (e.g., allow access to anyone) or as restrictive (e.g., restrict access to only certain people) as you need.
To assign an ACL to a DSP, you must update (or create) the .access file in the directory where the DSP resides. For procedures, see “Assigning ACLs to Files the Server Can Serve” in webMethods Integration Server Administrator’s Guide.
Note:
Unlike a service, access to a DSP cannot be restricted to a particular port. Thus you do not specify port-level controls for a DSP.
Access to services invoked by the DSP. When a user requests a DSP, the services invoked by the DSP are subject to a port-level check (against the port on which the DSP was requested) and an ACL check (against the user that requested the DSP). To ensure that the services in your DSP execute successfully, you must do the following:
Make sure that the services it invokes are allowed to execute on the port(s) where the DSP will be requested.
Make sure that users who are authorized to use the DSP are also authorized to execute the services that the DSP invokes. (For convenience, you might want to assign the same ACL to the DSP and to the services it invokes.)
For information about configuring port-level security and assigning ACLs to services, see webMethods Integration Server Administrator’s Guide.
Note:
A service that is internally invoked by a service in a DSP is not subject to security control unless Enforce Execute ACL is set (in the Properties panel) for the internally invoked service. When this option is set, the server performs an ACL check on the service using the user ID under which the DSP was initially requested.