How to securely configure static resource access in ADSelfService Plus

How to securely configure static resource access in ADSelfService Plus

Applicable to: Build 6304 and higher

Objective    

This article explains how to securely configure access to static resources such as PDFs, images, or documents in ADSelfService Plus builds 6304 and later. For enhanced security, direct access to static content is now restricted by default. Administrators must explicitly authorize specific paths in a configuration file to allow users to access these resources.
Optimizing access rules ensures:
  • Security: Reduces vulnerability to directory traversal and unauthorized downloads.
  • Control: You choose which files and folders are exposed.
  • Compliance: Aligns with security best practices and audit requirements.

Prerequisites    

  • Administrative access to the ADSelfService Plus server
  • A text editor such as Notepad or Notepad++
  • A backup of the existing security-customer.xml file

Steps to configure static resource access  

Step 1: Place static resources in the custom directory 
  1. Place your static files (e.g., .pdf, .png, .css) in the directory: <Installation_dir>\webapps\adssp\resources\custom-static (default installation directory path: C:\Program Files\ManageEngine\ADSelfService Plus)
NotesNote: Create the custom-static folder manually if it does not already exist. 
 Step 2: Define the access rule in security-customer.xml 
  1. Navigate to the security-customer.xml file located in the <Installation_dir>\conf directory.
  2. Open the security-customer.xml file in a text editor and add the following entry inside the <security-configuration> tags:
Info<url path="/resources/custom-static/[a-zA-Z0-9 %._@-]+.(png|css|pdf)" method="get" ignore-extraparam="true" operation-type="read" /> 
  1. Adjust the regex to include any additional file extensions your environment requires (e.g., .jpg, .svg, .txt).
  2. Save the changes.
Warning
Security note: 
 Do not use overly broad regex patterns like .* as it may expose unintended files. 
 Always restrict access to specific file types required for business needs. 
Step 3: Restart the service 
  1. Restart the ADSelfService Plus service in services.msc to apply the updated configuration.

Validation and confirmation    

  • Open a browser and try accessing a file (e.g., .pdf or .png) using a valid URL such as https://<your-server>:<port>/adssp/resources/custom-static/sample.pdf
  • Confirm that the file loads correctly without any access errors.
  • If access fails:
    • Verify the file path and extension in your security-customer.xml entry.
    • Review log files for detailed error messages.

Tips    

  • Backup: Always back up configuration files before modifying them.
  • Least privilege principle: Only allowlist specific resource types and names needed for business functions.
  • Audit periodically: Regularly audit and clean unused files from the custom-static directory for better security.

How to reach support               

If the issue persists, contact our support team here.

      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products