A Web user can potentially run any procedure file that is accessible from an agent's PROPATH. This includes any procedures in your application working directory and any procedure files that are relative to the install-path directory. The Web user should be restricted from gaining access to this functionality. For example, the procedure can compile and run WebSpeed programs typed in by a Web user. If you make this procedure available to a Web user, you essentially give that Web user complete control over an agent. A number of SpeedScript statements would even give the Web user access to your operating system's file structure.
There are a number of things you can do to avoid this possibility. One approach is to start your agents with the run-time client (-rr) startup parameter. This parameter ensures that agents can only run precompiled code. This allows you to leave uncompiled procedures on the PROPATH without concern that they can be run from a Web browser. However, this approach does not allow you to take advantage of WebSpeed's compile-time flexibility. Depending on how you want to write your application, this might be important.
You can also use the check-agent-mode API function to allow some routines to work for Development but not for Production. For more information on the environment options, see the UNIX ubroker.properties.README file, or see OpenEdge Application Server: Developing WebSpeed Applications.
Yet another approach is to move any procedures off of the PROPATH that you do not want a Web user to run. For example, if you do not want a Web user to run the runscrpt.w procedure, then you must move it into a directory that is not included on the PROPATH and is not relative to the PROPATH.
Caution: One of the most important security considerations is to deny end users access to WebTools. Access to WebTools allows users to run utilities that can potentially alter or damage your system. Therefore, you should make sure that your WebSpeed agents run in production mode for deployed applications. None of the WebTools can run in production mode.
By default, the WebSpeed agents run in development mode. You can change to production mode by using OpenEdge Management or OpenEdge Explorer to change the agent's properties. See OpenEdge Application Server: Developing WebSpeed Applications for more information.
The following aspects of your configuration should be secure when deploying WebSpeed:
Network traffic
Web server
WebSpeed server
Application
The following sections briefly discuss each of these topics. Security is a broad and complex topic. You might want to consult with an expert on security about your particular deployment isssues.
Network traffic