· Nov 17, 2021

CSP Security - Static Files + Redirect

Hey Intersystems Community!

I'm trying to get IRIS to serve static files, including security and redirect to login if no session is present.

This is the flow I am trying to accomplish:

  1. User Opens a page, <my-iris-instance>/my-app/index.html, index.html being a static file
  2. User is redirected to the default IRIS Login page since no session is present
  3. User logs in
  4. User gets redirected back to index.html

For CSP applications this seems to work. I can open "http://localhost:52773/csp/sys/sec/%25CSP.UI.Portal.Applications.Web.zen..." in an incognito tab and get redirected to the web application configuration page after login. For static files, this does not work when ServeFiles is set to "3" (Use ISC Security).

Now, I understand that it is expected behavior (snipped from source code of Security.Applications):

/// 3 - Use CSP security - If the user has permissions to view a csp/cls page in this application then allow them to view a static file, if they do not have permissions to view a csp/cls page then return a 404 page not found page.<br>

Property ServeFiles As %Integer;

Now I'm looking for a way to create a smart workaround for this. I would appreciate any suggestions!

A bit of background Information:

  • The static files are an Angular (9) application, the application itself can be served quite well from IRIS with hash-routing
  • The Angular app is supposed to utilize the IRIS Session as authentication method, i.E. the Angular app does not do security on it's own, instead relies on IRIS to prevent unauthorized access.
  • The target environment does not support containers - static files need to be delivered through IRIS

We do have an implementation already that uses nginx, oauth2-proxy (, IRIS WebGateway and the IRIS oAuth2 Server, and while that works (and fits our security needs), it heavily relies on docker containers.

Product version: IRIS 2021.1
Discussion (1)1
Log in or sign up to continue

I do believe I found a decent solution to my own problem.

  • Rename the Angular index.html to index.csp. In angular.json, set the property to src/index.csp
  • Set the AutoCompile property of the Security.Applications web application to 1
  • Set ServeFiles to 3

That way, the index.html effectively serves as as a CSP page. No changes are done to the content of the index.html, IRIS seems to be happy with taking a plain HTML file as CSP. AutoCompile makes sure that the index.csp is compiled if needed (useful for local development).