SOAP Request Strict Security
This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Disabling SSLv2/SSLv3.
During SOAP web service calls/requests made against the tables to perform any CREATE, READ, UPDATE or DELETE operation, the glide.soap.strict_security property enforces web service security using a combination of basic authentication challenge/response over the HTTP protocol and system level access control using the Contextual Security.
If this property is set to true, the following actions are performed:
- Check incoming SOAP request for role authorization to validate if the user has appropriate role to perform the operation
- Check the system-level ACLs while retrieving data in the form of SOAP data on the table
- Check the field-level ACLs for any CRUD operation performed against a field of table
| OAP Request Strict Security | |
|---|---|
| Property Name | glide.soap.strict_security |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | Ensure security ACLs are checked and validated even when the records are accessed through SOAP calls |
| Requirement | Mandatory |
| Recommended Value | True |
| Default Behavior | Set to true |
| Revertible behavior | N/A |
| Role required | Security_admin |
| Release Version | Summer 2008 |
| Functional Impact | (High) This remediation enforces the system-level access control while retrieving data from tables/pages in the form of SOAP data on the instance. If there are users currently accessing this data, they are restricted/allowed to access the data based on the ACL rules. For the default roles that have access to the SOAP data, see SOAP Roles. |
| Security Risk | (High) Without appropriate authorization configured on the incoming SOAP requests, an unauthorized user can get access to sensitive content/data on the target instance. |
| Workaround | No alternate method available. |
| References |
