Developer Resources:

Customer Quotes:

WebORB Management Console is a Flex application that uses WebORB remoting for all supported operations. As a result, restricting access to console is not different than restricting access to the services used by user applications. The configuration steps below describe how to restrict access to the console so it works only for the requests originating from locahost:

1. Make sure to start with the deployment mode set to "open". You can check the deployment mode setting in weborb.config located in the root of your virtual directory. The <deploymentMode> element must say "open":


If you had to make a change in weborb.config, make sure to restart ASP.NET, so WebORB accepts the new setting.

2. Load management console and select the "Management" tab:

3. In the service browser expand weborb.dll and navigate to Weborb > Management. Select the Management node.

4. Click the "Security" tab located in the 3rd row of tabs. Select "Host" in the "Restriction type" dropdown.

5. Enter localhost in the "Host name" text field, select "Grant" radio button and click "Add". You will see the permission added in the "Grant Access Summary":

6. If there is another security constraint already assigned to the Management node for *.*.*.*., make sure to delete it.

The steps you performed restrict access to any class in the Weborb.Management namespace to invocations coming from localhost, thus if the console is loaded from a host other than localhost, invocations will fail.

There is an important decision you need to make: will you be switching to the "closed" mode or keep it "open". If you're deploying the system in production, it is recommended to change the mode to "closed". When in the "closed" mode, it is important to grant security constraints to any service used by the user application. If there are no security constraints on a service, the closed mode will not let anyone invoke it.

To change the system to the "closed" mode, make the change in weborb.config and restart ASP.NET. At this point, if console is accessed from a host other than localhost, it will report an error.

If WebORB were to remain in the "open" mode, there is an additional configuration step:

Select "Single IP" from the Restriction type dropdown. Keep the stars in the "IP Mask". Click "Deny" and then Add:

The reason for this is subtle: the "open" mode allows anything that is not restricted. When in "open" mode, if access to *.*.*.* is not restricted, then everyone can still use console. As a result, you need to block everyone except for "localhost", that's why denying access to *.*.*.* is important. For the "closed" mode it is different as it denies access to everything unless there is an explicit permission.