Securing custom applications

If an ITP/OnLine ASP.NET custom application is going to be exposed to the Internet, it must be configured to run in Secure Mode. In this case, in order to secure the application from attackers from the Internet, ITP/OnLine applies strict conditions on the communication between the ITP/OnLine application and the web browser. The configuration setting Secure Mode can be enabled from the section Customization of the application configuration page. Refer to section The Customization section for more information. Changes to this setting only take full effect when the application is deployed. This can be done from the ITP/OnLine ASP.NET main configuration page.

When an application is running in Secure Mode, the following changes are applied:

By default, a file in the application folder is not exposed as a web URL, unless it is explicitly configured to be exposed. The configuration file securemode-urls.xml, which can be found in the root folder of the application, defines which files are exposed through web URLs.
Ad hoc model runs, which use URL parameters to specify the model run parameters, are not allowed. Only prepared model runs can be used.
Because the ITP/MDK Repository uses ad hoc model runs when testing models using ITP/OnLine, it is not possible to use a Secure Mode application to test models from the ITP/MDK Repository.
For the non-customizable web pages exposed by ITP/OnLine ASP.NET, strict parameter checks are applied, and the web pages refuse to load when these parameter checks fail.
Users are no longer authenticated using Windows Authentication, because this authentication method is not applicable in an Internet situation. Instead, access to the web pages is restricted to authorized users by verifying the session ID provided by the Internet user. Configuration pages, however, do still require the use of Windows Authentication, so that they cannot be accessed by unauthenticated Internet users.
Some internal workings of ITP/OnLine are modified compared to the non-secure mode so that they no longer pass information through URLs.

Note

The SecureSample application that is installed with ITP/OnLine has been written so that it can run when Secure Mode is enabled. If you use the application SecureSample as a starting point for creating a new application, always make sure that you are using the most recent version. Do not use the Sample or Sample2 applications as a starting point for creating a new Secure Mode application, because they were not designed for this purpose.

Note

SecureSample has been designed in such a way that it can also be used as a stand-alone letterbook. For this purpose, it contains a page preparelist.aspx, which automatically creates a prepared model list. This page merely serves as an example and should therefore never be used in Secure Mode. Refer to the comments in the preparelist.aspx.cs source for more information on this subject.