callService configuration for running different service types

IBM® Process Portal uses the callService servlet and the tw.coach.callService JavaScript API to invoke services. This servlet is configured to run Ajax services by default. If you have custom client applications that rely on callService to call service types other than Ajax services, add a configuration property to the 100Custom.xml file in IBM Workflow Center or IBM Workflow Server to specify the whitelist of callable services.

Important: Allowing callService to run multiple types of services introduces a possible security issue. Even Ajax services can be used for an attack by authenticated users if they know the specifics about the service. Service developers should redesign potential services to prevent harmful usage.

Administrators can change the callService configuration to specify types, the combination of services to run, or both. To change the configuration for callService, add the callservice-valid-services property in 100Custom.xml. The property contains one or more valid-service-entry elements that specify the type of service that you want to run.

The default setting for IBM Process Portal is to run only Ajax services. The following example illustrates the configuration to run an Ajax service:
<properties>
     <server>
         <portal>
             <callservice-valid-services merge="replace">
                      <valid-service-entry>ajax service</valid-service-entry>
             </callservice-valid-services>
         </portal>    
      </server>
</properties>
The following example illustrates the configuration to run only integration services:
<properties>
     <server>
         <portal>
             <callservice-valid-services merge="replace">
                      <valid-service-entry>integration service</valid-service-entry>
             </callservice-valid-services>
         </portal>
     </server>
</properties>
The following list includes all existing services and values that are accepted within the valid-service-entry flag in the 100Custom.xml file:
  • All
  • None
  • Regular service
  • Rule service
  • Ajax service
  • Human service
  • Integration service
  • Deployment service flow
  • General System service
  • SCA service
  • Case Manager Integration service
  • Undercover Agent Passthrough service

You can use any combination of the service identifiers to allow callService to run specific types of services. If the special keywords "all" or "none" are encountered in the list, all other entries are ignored.

The following example illustrates the configuration to block everything except for Regular services, Ajax services, and SCA services.

<properties>
     <server>        
        <portal>
             <callservice-valid-services merge="replace">
                      <valid-service-entry>regular service</valid-service-entry>
                      <valid-service-entry>Ajax service</valid-service-entry>
                      <valid-service-entry>SCA service</valid-service-entry>
             </callservice-valid-services>
        </portal>    
      </server>
</properties>