WebSpeed
Developer’s Guide


Making Your Application Secure

A Web user can potentially run any procedure file that is accessible from an Agent’s PROPATH. This includes any procedures in your application working directory and any procedure files that are relative to the install-path directory. You probably do not want to give the Web user this ability. For example, the procedure can compile and run WebSpeed programs typed in by a Web user. If you make this procedure available to a Web user, you essentially give that Web user complete control over an Agent. A number of SpeedScript statements would even give the Web user access to your operating system’s file structure.

There are a number of things you can do to avoid this possibility. One approach is to start your Agents with the Run Run-time Client (-rr) startup parameter. This parameter ensures that Agents can only run precompiled code. This allows you to leave uncompiled procedures on the PROPATH without concern that they can be run from a Web browser. However, this approach does not allow you to take advantage of WebSpeed’s compile-time flexibility. Depending on how you want to write your application, this might be important.

You can also use the check-agent-mode API function to allow some routine to work for Development but not for Production. For more information on the environment options, see the UNIX webspeed.cnf or see the WebSpeed Installation and Configuration Guide .

Yet another approach is to move any procedures off of the PROPATH that you do not want a Web user to run. For example, if you do not want a Web user to run the runscrpt.w procedure, then you must move it into a directory that is not included on the PROPATH and is not relative to the PROPATH.

NOTE: None of the WebSpeed tools can run in Production mode.


Copyright © 2004 Progress Software Corporation
www.progress.com
Voice: (781) 280-4000
Fax: (781) 280-4095