Jetfire Wiki

• Jazz CMS
  

• Debug
• Jetfire Core
• Jetfire Language
• Jetfire Web Part
• Library
• Release Notes
• Roles
• States
• Web Service
• Workflow Administration

Quick Search
»
Advanced Search »

Securing the Jetfire Web Service

Table of Contents [Hide/Show]    Securing the Jetfire Web Service       An open web service       A secure web service

Securing the Jetfire Web Service¶

(return to Jetfire Web Service)

The Jetfire Web Service API is a general purpose web service that provides full access to Jetfire Workflows.

An open web service¶

Without security settings,

• The Web Service transmits data in clear text between the client and the Jetfire Service.
• Users can log into any Jetfire subscription.
  • A website may have multiple Jetfire subscriptions that are configured for different customers and/or different applications.
• Any authenticated user and Guests can log into the Jetfire Web Service.
  • Jetfire workflows can be designed to be secure using Roles. However, that is not always the case where some workflows are public for reasons of convenience. The website has additional security mechanisms for securing Jetfire workflows.
• Users can access all commands on the Web Service.
  • Jetfire workflows can be designed to be secure using Roles. However, the subscription owner may wish to restrict some commands that web service users can access.
  • The Jetfire Web Service maps to the Jetfire Language in providing a powerful syntax to the Jetfire Workflow. Without security, the following Web Service functions can be accessed by any user:
    • Create a workflow
    • Execute a workflow command
    • Save workflow properties
    • Get a workflow
      

A secure web service¶

Application Settings are used to secure the Jetfire Web Service. With these,

• The Web Service can be configured to transmit encrypted data between the client and the Jetfire Service.
  • Data may be encrypted in incoming, outgoing or both directions.
• Users are restricted to what Jetfire subscriptions that they can log into.
  • It is recommended that each subscription have a separate Web Service configured in a separate folder with its own application settings. e.g. http://mysite.com/ws1/EventsWebService.asmx vs http://mysite.com/ws2/RegistrationWebService.asmx.
  • The Jetfire Web Service is designed to be easily duplicated on the site.
• Users must have one or more Roles that match the required Roles on the Jetfire Web Service Access Control List.
  • Roles assigned to the Jetfire Web Service behave like an Access Control List. i.e. the incoming message must have one of the Roles in the ACL to access the service.
• Users are restricted to commands they can access on the Web Service.
  • Users can be restricted to a subset of the Web Service methods.
    • e.g. users may be restricted so that they cannot create a workflow.
    • e.g. users may be restricted to a read interface, where they can get data but not create or update data.