You can create the following optional config file to restrict access to the Transaction Restore API: txnrestore-api.properties.
Save the file to the \WEB-INF directory.
In this file you can supply a parameter called "validHosts", in which you can supply a comma separated list of hostnames, IP Addresses, or Regular Expressions of either. For Example:
validHosts=host1, 192.168.168.97, dev.*
In the example above, the following machines have access to the Transaction Restore API:
Any machine named "host1." (The host name is derived from DNS reverse lookup or from the webserver.)
The machine with IP address 192.168.168.97.
Any machine with a name that starts with "dev." (The host name is derived from DNS reverse lookup or from the webserver.)
Effective in version 5.3.3 HotFix 2, the txnrestore-api.properties file is deprecated. Modify the validHosts property in the conf.properties file.
Effective in version 5.3.4, the default security changed. By default, only the machines that you configure as valid hosts in the conf.properties file are authorized to call the JavaServer page API. Previously, if you did not configure valid hosts, then any IP address or host could call the JavaServer page API.