How to securely configure static resource access in ADSelfService Plus

How to securely configure static resource access in ADSelfService Plus

Applicable to: Build 6304 and higher

Objective    

This article explains how to securely configure access to static resources such as PDFs, images, or documents in ADSelfService Plus builds 6304 and later. For enhanced security, direct access to static content is now restricted by default. Administrators must explicitly authorize specific paths in a configuration file to allow users to access these resources.
Optimizing access rules ensures:
  • Security: Reduces vulnerability to directory traversal and unauthorized downloads.
  • Control: You choose which files and folders are exposed.
  • Compliance: Aligns with security best practices and audit requirements.

Prerequisites    

  • Administrative access to the ADSelfService Plus server
  • A text editor such as Notepad or Notepad++
  • A backup of the existing security-customer.xml file

Steps to configure static resource access  

Step 1: Place static resources in the custom directory 
  1. Place your static files (e.g., .pdf, .png, .css) in the directory: <Installation_dir>\webapps\adssp\resources\custom-static (default installation directory path: C:\Program Files\ManageEngine\ADSelfService Plus)
NotesNote: Create the custom-static folder manually if it does not already exist. 
 Step 2: Define the access rule in security-customer.xml 
  1. Navigate to the security-customer.xml file located in the <Installation_dir>\conf directory.
  2. Open the security-customer.xml file in a text editor and add the following entry inside the <security-configuration> tags:
Info<url path="/resources/custom-static/[a-zA-Z0-9 %._@-]+.(png|css|pdf)" method="get" ignore-extraparam="true" operation-type="read" /> 
  1. Adjust the regex to include any additional file extensions your environment requires (e.g., .jpg, .svg, .txt).
  2. Save the changes.
Warning
Security note: 
 Do not use overly broad regex patterns like .* as it may expose unintended files. 
 Always restrict access to specific file types required for business needs. 
Step 3: Restart the service 
  1. Restart the ADSelfService Plus service in services.msc to apply the updated configuration.

Validation and confirmation    

  • Open a browser and try accessing a file (e.g., .pdf or .png) using a valid URL such as https://<your-server>:<port>/adssp/resources/custom-static/sample.pdf
  • Confirm that the file loads correctly without any access errors.
  • If access fails:
    • Verify the file path and extension in your security-customer.xml entry.
    • Review log files for detailed error messages.

Tips    

  • Backup: Always back up configuration files before modifying them.
  • Least privilege principle: Only allowlist specific resource types and names needed for business functions.
  • Audit periodically: Regularly audit and clean unused files from the custom-static directory for better security.

How to reach support               

If the issue persists, contact our support team here.

      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Bind ADSelfService Plus to run on a specific virtual IP address

                      Description You can configure ADSelfService Plus to run on specific IP address. Resolution Step 1: Create a virtual IP Address on the machine where ADSelfService Plus is running. Start → Settings → Control Panel → Open Network connection. Right click ...

                    • Configuring high availability in ADSelfService Plus

                      ADSelfService Plus utilizes automatic failover to support high availability in case of system and product failures. Essentially, this means that when the ADSelfService Plus service on one machine fails, another instance of ADSelfService Plus running ...

                    • ADSelfService Plus product startup issues

                      What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...

                    • How to deploy ADSelfService Plus over the internet?

                      Description Deploying ADSelfService Plus over the internet will allow end-users who are on the move to access the tool from anywhere, anytime. Resolution Register an IP address (say 64.12.13.11) and a public hostname (like ...

                    • Multi-factor authentication techniques in ADSelfService Plus

                      Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...

                      Related Products