Resources to secure

When you determine which resources to secure, review all of the components that have a URL mapping and that your Rich UI application accesses:

Generated HTML file

EGL generates a Rich UI application into an HTML file. HTML files are generated into the WebContent folder (or into a subfolder in the WebContent folder) of your deployed project. If an HTML file is secure, you must authenticate before you access the Rich UI application that is defined in the HTML file. To secure the entire HTML file, you can use JEE authentication. To restrict sensitive areas of the Rich UI application, you can use custom security.

EGL Rich UI Proxy

The EGL Rich UI Proxy handles communication between the HTML file that EGL generates for a Rich UI application and Web services Because of the Same Origin policy for JavaScript™, the HTML file cannot invoke a Web service that has a different origin (defined as protocol, domain, and port) than that of the HTML file. To get to Web services on different origins, the HTML file uses a Java™ servlet known as the EGL Rich UI Proxy. All Web services that are invoked in a Rich UI application are accessed through the proxy.

The EGL Rich UI Proxy servlet is of the type com.ibm.javart.services.RestServiceServlet and is shipped with the EGL runtime in fda7.jar. The servlet is deployed to the same project as your generated HTML file. While the HTML file runs in a browser, the EGL Rich UI Proxy runs on an application server.

Because the URL of the EGL Rich UI Proxy is visible in the JavaScript™ that EGL generates for your Rich UI application, you must prevent the proxy from being used by anyone other than your Rich UI client to invoke Web services. If you leave the proxy unsecured, it can be used to instigate JavaScript hijacking attacks. If your Rich UI application does not use the EGL Rich UI Proxy (that is, if the application invokes no Web services), remove access to the proxy from your deployed project. For more information, see Removing access to the EGL Rich UI Proxy servlet. Otherwise, you can use JEE basic authentication to prevent the proxy from being invoked by an unauthenticated client. While this action cannot guarantee protection against Web threats, it can reduce the possibility of one occurring.

If both the HTML file and EGL Rich UI Proxy are secure, authentication is required only before you can access the HTML file. If the EGL Rich UI Proxy is secure and the HTML file is not, authentication is required before you can access the proxy (that is, before the application calls a Web service that is invoked through the proxy).

EGL Web service

To secure EGL Web services that are generated into a Web project, you can use JEE security through HTTP basic authentication. In HTTP basic authentication, you access secure Web services by passing a valid user id and password in the HTTP header. EGL provides a system function in ServiceLib, setHTTPBasicAuthentication, which sets these values in the header. Precede each call to a secure Web service with a call to setHTTPBasicAuthentication.

To avoid security exposures, never hardcode the user id and password into the Rich UI application. Instead, the Rich UI application should display a user-defined login screen to prompt the user for the values to pass to setHTTPBasicAuthentication. Once you obtain the password, you can store it in your Rich UI handler or a library for future Web service calls. Whenever you need a different set of credentials to pass to a Web service, you must prompt the user again.


Feedback