Close popover
Attila Donath (AttilaDonath)
Pega Lead System Architect
AttilaDonath Member since 2016 10 posts
Posted: March 13, 2019
Last activity: August 14, 2019

Why the URL parameters get encrypted in Pega 8? (?pzuiactionzzz=...)


We are upgrading a Pega application from version 7 to version 8.

There are some functionalities for that we need to call a specific URL and then extract a part of the URL using JavaScript.

For the sake of simplicity let's take this URL as it is available in all Pega installations (gets the Mashup script): http://[our domain]/prweb?pyActivity=pzIncludeMashupScripts
And the tasks is to fetch the Activity name using JavaScript (here: "pzIncludeMashupScripts").

In Pega 7 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pyActivity=pzIncludeMashupScripts
That's fine, we still have the Activity name ("pzIncludeMashupScripts") in it and it can be parsed.

However in Pega 8 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=CXtpbn1jaW1RV1hLOEoyeVdRaEtra05SQTdzOGFvbEVJRXMrdE1EMm9yaVhFZ2lBRXZ4TlFEVEdH%0AbmN5Sk1HNWVLV1NZ*
It seems that the pzuiactionzzz parameter contains some kind of hashed value of the previous parameters.
This is not good for us, as the Activity name is no longer in the URL - it cannot be extracted using JavaScript.

I found some articles which seem to be related:

So according to the above articles I disabled URL encryption:
Pega-Engine • prconfig/initialization/urlencryption/default: false
Pega-Engine • prconfig/initialization/submitobfuscatedurl/default: optional

But still, the URL parametes get transformed into the ?pzuiactionzzz=... hashed form.
I even tried using the URL Mappings rule, but the "nice URL" was transformed to ?pzuiactionzzz=... as well.

My goal here is to understand what's going on, why it has changed it Pega 8.
From security perspective it's very good that the URL parameters are encrypted, and I guess, we will need to find a better solution than parsing the URL using JavaScript.
So the question is not how to solve this particular problem, but rather to have a general understanding.

Could you please provide some documentation about what is behind this mechanism?
How does the URL encryption work, and is it really connected to that ?pzuiactionzzz=... parameter?
How is the hash calculated for ?pzuiactionzzz=...?

Best regards,

***Edited by Moderator Marissa to update platform capability tags****

Security User Experience
Moderation Team has archived post,
Close popover This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.