Nilesh_Shinde Member since 2017 7 posts
Posted: 2 years ago
Last activity: 2 years 11 months ago

Security Fix - urlaccessmode with deny value (< env name="security/urlaccessmode" value="warn" / >).

We are trying to implement the URL tampering protection using one of the below four modes. The setting can be done either in prconfig or DSS defined under Pega-Engine (we have done this setting with ‘deny’ value).

<env name="security/urlaccessmode" value="warn" />

Valid values are:

  1. Allow – disable validation
  2. Deny – send an exception to the client and stop processing
  3. Warn - print log message when tamper detected but allow the action anyway
  4. AccessGroup - It is intended to provide a drop down to select the mode on Access Group rule. Nevertheless this is currently not available.

The problem we are facing is, if we set the “security/urlaccessmode” value=”deny”, then we are facing the below issue,

Issue: When we try to refresh an Alert by clicking on Refresh under Actions menu the Alert becomes inaccessible. All the buttons on UI freezes as unlockable, a loading icon appears and the only solution is to close the Alert and open it again (Attachment: InactiveAlertPage.PNG).

For this issue we had two SR’s SR-B54993 and SR-B77297 raised earlier.

Please suggest any other alternate approach is available to implement the urlaccessmode with deny value.

***Updated by moderator: Lochan to add SR Exists group tag***

Security SR Exists
Moderation Team has archived post
Share this page LinkedIn