KCM ComposerUI for ASP.NET Developer's GuideSecuring KCM ComposerUISecuring custom applications

Securing custom applications

If a KCM ComposerUIASP.NET custom application is going to be exposed to the Internet, it must be configured to run in Secure Mode. To secure the application from Internet attackers, KCM ComposerUI applies strict conditions on the communication between the KCM ComposerUI application and web browser. The configuration setting Secure Mode can be enabled from the Customization section of the application configuration page. Changes to this setting only take full effect when the application is deployed. It can be done from the KCM ComposerUI ASP.NET main configuration page.

When an application is running in Secure Mode, the following changes are applied:

  • By default, a file in the application folder is not exposed as a web URL, unless it is explicitly configured to be exposed. The configuration file securemode-urls.xml, which can be found in the root folder of the application, defines which files are exposed through web URLs.

  • Ad hoc Master Template runs, which use URL parameters to specify the Master Template run parameters, are not allowed. Only prepared Master Template runs can be used.

  • Because the KCM Repository uses ad hoc Master Template runs when testing Master Templates in KCM ComposerUI, it is not possible to use a Secure Mode application to test Master Templates from the KCM Repository.

  • For the non-customizable web pages exposed by KCM ComposerUI ASP.NET, strict parameter checks are applied, and the web pages cannot be loaded when these parameter checks fail.

  • Users are no longer authenticated using Windows Authentication, because this authentication method is not applicable in an Internet situation. Instead, access to the web pages is restricted to authorized users by verifying the session ID provided by the Internet user. However, configuration pages do still require the use of Windows Authentication, so that they cannot be accessed by unauthenticated Internet users.

  • Some internal workings of KCM ComposerUI are modified compared to the non-secure mode so that they no longer pass information through URLs.

The SecureSample application that is installed with KCM ComposerUI is written so that it can run when Secure Mode is enabled. If you use the application SecureSample as a starting point for creating a new application, always make sure that you are using the most recent version. We recommend not to use the Sample or Sample2 applications as a starting point for creating a new Secure Mode application, because they are not designed for this purpose.

Also, SecureSample is designed in such a way that it can also be used as a stand-alone letterbook. For this purpose, it contains a page preparelist.aspx, which automatically creates a prepared Master Template list. This page merely serves as an example and should therefore never be used in Secure Mode. See the comments in the preparelist.aspx.cs source for more information on this subject.