® Connections supports three major intersecting dimensions of security for gadgets: feature access, page object access, and proxy access.
Feature access controls which gadget APIs a gadget is granted access to. Restricted gadgets are prevented from getting access to either Open Authorization (OAuth) or single sign-on (SSO) APIs and have limited interaction with the page. For example, they cannot save preferences on the IBM
Connections Home page or use the open-views APIs to open pop-ups.
Unlike restricted gadgets, trusted gadgets can save state when they are rendered as Home page gadgets. They can also use the OAuth pop-up feature and open dialog boxes. However, despite the name, trusted gadgets are still sandboxed in a locked-domain deployment.
For more information, see Understanding and configuring locked domains
Page object access
When enabled, the SSO feature causes the gadget to render in the unlocked container domain. As a result, SSO still functions through the proxy, but now SSO tokens are exposed through the state of the browser, and the gadget can directly manipulate the IBM
Proxy access determines whether a gadget is restricted to external-only sites or can make requests into your intranet. When authentication is not required to access intranet content, malicious or hacked gadgets might attempt to use the proxy to tunnel through the firewall to make unauthenticated requests for intranet content.
Intranet content is determined by the SSO Domain
setting in IBM WebSphere Application Server. All requests through the proxy must be signed by specifying an auth type or by using the signed-request flag to identify the gadget that is making the call. By default, unsigned proxy requests are not permitted to access intranet resources.
When configuring the SSO Domain setting in WebSphere Application Server, always configure locked domains too. Also, although this setting can make access more difficult for SSO gadgets, the setting is not an effective way to restrict SSO gadget access to your intranet.
Parent topic: Securing widgets