XMPie web security

Summary: This article reviews the security of RURL sites based on XMPie technology. XMPie Web security is constructed in several layers: Architecture, Technologies, Authentication and SECURL RURL Templates. In addition, the article discusses the secured environment of the XMPie Email Service.

Audience: XMPie prospects and customers who wish to understand and build a secured web application based on XMPie technology.

Quick Links Hide


The XMPie software architecture allows for separation of the web serving workflow into separate machines in order to promote security. The separation is optional, as the workflow can run even on a single machine.

This diagram shows a traditional web deployment supported by XMPie:

     The Web Server is a separate machine, serving requests over ports 80 and 443.

     The Web Server connects to the XMPie uProduce server (to get recipient profiles) by calling web services, also served over port 80 / 443.

     uProduce connects to the client database over the OLEDB protocol (with security settings as supported by the DB).

To ensure security, the above deployment allows for placing the Web Server in the DMZ while exposing only ports 80 / 443 to the Internet. The uProduce and DB servers are deployed in the LAN (internal network), accepting requests only from the Web Servers and being completely blocked for external access.

Furthermore, it is possible to place a Reverse Proxy machine in front of the Web Server machine.


The XMPie Web-server technology is based on the industry standard approach. The Web Server is a Windows Server machine, running IIS as web server and ASP.NET as application platform.

The XMPie web actions are simply ASP.NET code that is deployed on the IIS server. The code is fully editable (except for a single XMPie support library).

This approach, which is unique in the XM VDP space, allows for great freedom for the IT department to implement any security measure (as well as other features) on the Web Server. It also means that developers can add any custom security feature desired, for example a login procedure to protect the web pages, or multi-tiered login, session timeouts, auditing, etc.

In cases where Windows/ASP.NET is less desired, it is possible to override the XMPie normal behavior and call the uProduce web services directly, allowing for other web technologies to be supported (e.g. Linux/Apache) together with other languages (e.g. PHP, Java).

Note however that this method requires more manual work, as some out-of-the-box features provided by XMPie are skipped this way.


All calls from the Web Server to the uProduce server are performed by calls to web services, which all require authentication. The authentication also sets the context of the campaign: the recipient of campaign A will not have access to data from campaign B even if there is a programming error.

SECURL Templates

The XMPie RURL Wizard tool comes with several RURL Templates, including templates demonstrating XMPie superior web security features. These templates are collectively referred to as SECURL Templates.

The SECURL templates show how to protect some web pages behind a login mechanism, as well as offer the possibility to provide further protection via CAPTCHA and SSL security. The templates can be referenced as code samples or used to start real web sites (by using the RURL Wizard tool). In either case, the code generated by the SECURL Templates can be fully customized to suit any need (for example, modified to use a different CAPTCHA implementation, expanded to add more security features, etc.).

XMPie Email Services Security

XMPie Email Service is based on Exact Target technology. Exact Target is a highly secured Email Service Provider, following a strict security policy. The entire communication between XMPie uProduce servers and Exact Target servers is done in a secured manner, using Secured Web Services (WSE), over PORT 443.


By using industry-standard practices and technologies, and by providing its web personalization as open-source, editable code, XMPie allows the user to fully customize the web channel, deploy it in various ways to suit IT requirements, and enhance and modify the code to reach any desired behavior – all of that with keeping the XMPie benefits of integrated cross-media.

Created by: Ranen Goren and David Shalom, last updated: April 4, 2011