Exposing web URLs

In an ITP/OnLine ASP.NET application that is running in Secure Mode, content that is present in the application folder is not exposed to the web by default. To expose a certain file through a web URL, it must be listed in the file securemode-urls.xml, which can be found in the root of the application folder. Changes to this file are applied when the application is deployed. This can be done from the ITP/OnLine ASP.NET main configuration page.

The format of the file securemode-urls.xml is as follows:

<?xml version="1.0" encoding="UTF-8" ?> 

<itp:secure-mode-urls xmlns:itp=

   "http://www.aia-itp.com/namespaces/online-secure-mode-urls/1"> 

  <itp:exposed> 

    <itp:pattern pattern="/modelbegin.aspx" /> 

    <itp:pattern pattern="/css/*.css" /> 

    <itp:pattern pattern="*.js" /> 

  </itp:exposed> 

</itp:secure-mode-urls>

This example contains three itp:pattern entries. Each itp:pattern entry specifies a pattern for URLs that are exposed. All URL patterns are specified relative to the application folder.

Three types of patterns are supported; single URLs, sets of URLs in a specific folder, and sets of URLs in any folder.

• A single URL pattern exposes a single URL in the application. A single URL pattern always starts with a slash (/), and specifies the entire path to the URL that should be exposed. For instance, the first entry in the example specifies pattern /modelbegin.aspx. Because the path is relative to the application folder, this exposes the URL /itp/app/<application name>/modelbegin.aspx. The pattern only exposes the exact URL that is specified, so the example pattern /modelbegin.aspx does not expose /itp/app/<application name>/some/folder/modelbegin.aspx.
• A pattern may also specify a set of URLs in a specific folder. This type of pattern also starts with a slash (/), and specifies the entire path to the application subfolder in which URLs should be exposed. Instead of specifying a single URL within the folder, a set of URLs is specified by using wildcard characters. For instance, the second itp:pattern entry in the example specifies the pattern /css/*.css. This exposes all URLs in the application subfolder /css that end with extension .css, but no URLs in any other folders.
  To specify a set of URLs, patterns can use wildcard characters * and ?. The character * matches any sequence of characters. The character ? matches a single character. In addition, URL patterns can use the construct (a|b|c|...|z) to allow for multiple alternatives. For instance, the pattern /(modelbegin|modelend).aspx can be used to expose both /modelbegin.aspx and /modelend.aspx.
• The third type of pattern exposes a set of URLs in any folder of the application. This type of pattern does not start with a slash (/) and does not specify a path. The pattern specifies only the pattern of the exposed URLs, which are then exposed in all application subfolders. This is shown in the third entry itp:pattern entry in the example. The specified pattern *.js exposes all files that end with .js, in all folders of the application.

Customizing securemode-urls.xml

The SecureSample applications that is installed with ITP/OnLine ASP.NET contains an example securemode-urls.xml. This file exposes the URLs that must be exposed for the SecureSample application to function properly. When building a custom application based on the SecureSample application, the developer should always modify securemode-urls.xml to expose only the URLs that are required by the specific application. This may involve exposing additional URLs, but it it is also advisable to remove any URLs that are not required by the custom application. The following is a list of URLs that are provided by ITP/OnLine ASP.NET and that may need to be exposed or unexposed. The column Exposed by default? indicates whether a URL is exposed in the default configuration of SecureSample.

URL	Exposed by default?	Description
/download.aspx /opendocument.aspx	Yes	Required when PDF previews are used.
/textblockview.aspx /viewtextblock.aspx	Yes	Required when Text Block preview is used.
/xml2html.aspx /html2xml.aspx /editorpage.aspx /fieldimage.aspx	Yes	Required when Editable Text Block Questions are used in dynamic forms, or when TEXTBLOCK questions are used in FORM statements in ITP Models.
/empty.aspx	Yes	Required by the sample applications to display an empty frame.
/upload.aspx	Yes	Required when FILE questions are used in FORM statements in ITP Models, and when the ActiveX file upload control is enabled.
/modelbegin.aspx	Yes	This is a customizable page, the starting point for all model runs.
/runmodel.aspx	Yes	Required for all model runs.
/modelend.aspx	Yes	This is a customizable page, the end point for all model runs.
/modelsuspend.aspx	No	This is a customizable page, which is loaded when the end user uses the button Suspend. The default implementation sends the suspended model run information to the web user as a downloadable file.
/modelresume.aspx	No	This is a customizable page which can be used to resume a model run that was suspended by the page modelsuspend.aspx. The default implementation allows the user to upload a file containing model run information. This is considered a security risk, so the page is not exposed by default.
/modelselect.aspx	Yes	This is a customizable page, the starting point for all model lists.
/listmodels.aspx /openfolders.aspx /modelselected.aspx	Yes	Required for model lists, used by the default implementation of modelselect.aspx.
*.js *.png *.gif *.jpg *.htm *.html *.css	Yes	ITP/OnLine ASP.NET ships files with these extensions that should be available through the web. Because files with these extensions are normally public web content, they are exposed by default in the sample applications.

When exposing custom content through securemode-urls.xml, we advise to be as specific as possible. The reason for this is that ITP/OnLine ASP.NET may ship files that should not be exposed, and that could be inadvertently exposed when an overly broad pattern is used. For instance, it is not wise to expose the patterns "*.xsl" or "*.xml", because that will expose various internal ITP/OnLine files. It is acceptable, however, to expose the more limited "/myfolder/*.xml".