Enforce Security Constraints for the Plugin Folder in MicroStrategy Web or Library

Prior to MicroStrategy 2021 Update 8 (11.3.8), you must follow the steps below to enforce security constraints for the plugin folder.

Starting in MicroStrategy 2021 Update 8 (11.3.8), MicroStrategy enabled this option by default in Web JSP, so you do not need to follow the steps below. However, if you are using Web ASP, you must follow the steps below.

If you are using plugins for customization in Microstrategy Web or Library, MicroStrategy suggests implementing the security constraints detailed below to protect sensitive or confidential files, such as passwords or database connections. These security constraints protect the JSP Web plugin’s WEB-INF and jsp folders, as well as the asp folder for ASP Web, from remote access via URL.

Solution for JSP Deployments
Solution for ASP Deployments

Solution for JSP Deployments

To prevent the WEB-INF and jsp folders inside the given plugin folder from being accessed by a web URL, add the following security constraint in web.xml. This file is located in the Web JSP’s WEB-INF folder, such as <Web JSP deployment>/WEB-INF/web.xml.

Copy

<security-constraint>
  <web-resource-collection>
    <web-resource-name>NoAccess</web-resource-name>
    <url-pattern>/plugins/<plugin name>/jsp/*</url-pattern>
    <url-pattern>/plugins/<plugin name>/WEB-INF/*</url-pattern>
  </web-resource-collection>
  <auth-constraint />
  <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>

MicroStrategy recommends you place your server side files for jsp deployment in the WEB-INF and jsp folders. If your plugin has sensitive files in other folders, you can add more <url-pattern> entries for those folders in web.xml to ensure they cannot be accessed.

See Java Servlet Specification for more information about security-constraint.

Solution for ASP Deployments

To prevent the WEB-INF and jsp folders inside the given plugin folder from being accessed by a web URL, copy the web.config file in <Web ASPx Deployment>\WEB-INF\web.config to <Web ASPx Deployment>\plugins\<plugin name>\WEB-INF\web.config and <Web ASPx Deployment>\plugins\<plugin name>\asp\web.config.

MicroStrategy recommends you place your server side files for asp deployment in the WEB-INF and asp folders. If your plugin has sensitive files in other folders, you can copy the same web.config in the corresponding location.

The contents of the web.config file is shown below.

Copy

<?xml version="1.0" encoding="UTF-8"?>
<configuration>    
    <system.webServer>
        <handlers accessPolicy="None" />
    </system.webServer>
</configuration>

See the Handlers <handlers> Microsoft IIS document regarding accessPolicy for more information.