Securing the Interop Servlet

The tasks to customize authentication and authorization for the HTTP API servlet include additions to the customer_overrides.properties file. You can use this file to control authentication from within the InteropHttpServlet, which supports both container and token-based authentication.

To configure container and/or token-based authentication, set the following properties in the customer_overrides.properties file:
  • yfs.interopservlet.auth.container.enabled=true/false
  • yfs.interopservlet.auth.token.enabled=true/false
  • yfs.interopservlet.auth.userPassword.enabled=true/false
CAUTION:
Change only the properties referred to in this section. Changes to any other properties for the purpose of securing the interop servlet are not supported.

If every enabled option fails, then the user is not authenticated. The default value is true for the interopservlet.auth.token.enabled property and the interopservlet.auth.userPassword.enabled property.

Note: As a special case, if no authentication mechanisms are enabled, then full access will be granted to the servlet. This should not be done on a production server.
Access to the HTTP API can also be secured via modifications to the deployment descriptor. The deployment descriptor's web.xml is defined by the servlet specification from Sun Microsystems. This deployment descriptor can be used to deploy a Web application on any J2EE-compliant application server. The deployment descriptor for Sterling B2B Integrator is stored in the following directory:
  • UNIX/Linux
    install_dir/repository/eardata/platform/
descriptors/application_server_type/WAR/WEB-INF
    Valid values for application_server_type are JBoss, WebLogic, or WebSphere.
  • Windows
    install_dir\repository\eardata\platform\
descriptors\application_server_type\WAR\WEB-INF
    Valid values for application_server_type are JBoss, WebLogic, or WebSphere.

By using the security-constraint element with the web-resource-collection element, you can set up authorization to protect this page from unauthorized access. For more information about the web.xml deployment descriptor, see the documentation for your application server.