How to limit the Activites that can be run from a Pega Mashup screen
I couldn't find any documentation on PDN with regards to how to limit the activities that can be run from a pega Mashup screen. I vaguely recall seeing some old documentation related to some configuration in prConfig.xml, but I couldn't find those on PDN anymore.
our pega screen is embeded in a webspher portal page which is exposed to the internet, so the page is subject to simple hacks such as updating the iframe url to call another activity.
***Updated by Moderator: Vidyaranjan| Included categories***
Accepted Solution
Pegasystems Inc.
US
Securing applications (including activities) in Pega 7 is done using the core platform security features including the Pega Access Manager, operator access groups (including rule security mode configuration), roles and privileges. There are no Pega Web Mashup (formerly known as IAC) specific features for application security along the lines of what I believe you're asking about. Lastly, the Pega 7 Platform is secure by default from XSS, CSRF and other common attacks when applications are built in a guardrails compliant manner.
PEG
PL
You can have a CSRF setting enabled (we have DSS) to fix your issue.
You can have a CSRF setting enabled (we have DSS) to fix your issue.
| the following dynamic system settings have been introduced to address the CSRF issue | |
| • | security/csrf/securedActivities – comma separated list; The format for list of activities would be Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator |
| • | security/csrf/securedStreams - comma separated list; The format for the list of streams would be @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword |
(It is better to avoid the classnames which only means more coverage.)
- security/csrf/validreferers - comma separated host names. This setting specifies the valid referers the incoming requests can have. sample value:http://wrupaaw7,http://wrupaaw7:8080
- security/csrf/mitigation - the switch used to toggle the "CSRF mitigation using referer validation" feature on or off. Default value is FALSE sample value: TRUE
- security/csrf/secureall - Indicates that all activities and streams are secured – no exceptions.
| • | AES alert with code SECU0008 would be raised for the CSRF attack suspects |
Sample settings
| security/csrf/securedActivities | Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator, ReloadSection,GetLocationInFlow,PegaAccel-Task-DocumentApp.pzDocumentNow,@baseclass.WBGetRuleXmlWithKeys,getCorrInsert,PegaAccel-Task-DocumentApp.pzDocumentNow,@baseclass.WBGetRuleXmlWithKeys, |
| security/csrf/securedStreams | @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword, Operator-Profile-ChangePassword |
| security/csrf/validreferers | http://wrupaaw7,http://wrupaaw7:8080,https://mail.google.com/mail/?shva=1#inbox,https://mail.google.com, |
| DSS - security/csrf/mitigation | false |
Using the security/csrf/secureall=true as it is too restrictive.
For the list of secured activites, it is recommended to utilize the SQL below to identify those needing to be added to the setting. Primarily though you need to secure activities that can be triggered by a user or have 'May Start' checked. Depending on the number of activities in the system this could be a large entry in the DSS.
To determine what activities qualify you can run a query similar to this:
- Select distinct(pyrulename) from rulesschema.pr4_rule where pxobjclass='Rule-Obj-Activity' and PYRULEAVAILABLE in ('Yes','Final') and PYINPUTMAYSTART = 'true'
Cognizant Technology Solutions
US
Thanks for the reply.
From what I understood, this is a CSRF mitigation solution, but my scenario is different here: rather than guarding the authenticated user from third party attacks, this screen is open to any unauthenticated users from the internet, so I want to create some kind of a white list of activities that can be executed, and any attempt to execute any other activities will be prohibited.
Pegasystems Inc.
US
When you searched the PDN, did you look at this page, https://collaborate.pega.com/discussion/pega-web-mashup-iac-and-browser-backforward-navigation-button-behavior, and the Secure a web mashup widget? It contains links to --
https://pdn.pega.com/pega-web-mashup-data-security
https://pdn.pega.com/configuring-pega-web-mashup-authentication
Cognizant Technology Solutions
US
thank you for the reply, but somehow I am getting "Access Denied" error when trying to open this link: https://pdn.pega.com/pega-web-mashup-data-security
Pegasystems Inc.
US
Thanks for calling this problem to our attention!
The article is Pending Publication. (Pega employees can see the article and its status; external customers cannot.)
I have submitted a Pega-internal PDN Request to ask why this Pega 7.2.1 article is not yet published:
https://pdn.pega.com/pega-web-mashup-data-security
Thank you for following the advice of David Kircheis and confirming your results using his information.
Pegasystems Inc.
US
The PDN Article is now published:
https://pdn.pega.com/pega-web-mashup-data-security
If you have issues with this article or its Related Content, submit PDN Feedback, as described in this post, https://collaborate.pega.com/discussion/how-report-pdn-issues.
Thanks!
Accepted Solution
Pegasystems Inc.
US
Securing applications (including activities) in Pega 7 is done using the core platform security features including the Pega Access Manager, operator access groups (including rule security mode configuration), roles and privileges. There are no Pega Web Mashup (formerly known as IAC) specific features for application security along the lines of what I believe you're asking about. Lastly, the Pega 7 Platform is secure by default from XSS, CSRF and other common attacks when applications are built in a guardrails compliant manner.
Cognizant Technology Solutions
US
Thank you!
I think I have found my answer from your post - i will use Pega Standard security features - operator access groups (including rule security mode configuration), roles and privileges.
I guess I was thrown off by that old article that I recall reading about using prconfig.xml to achieve security restriction on web users.