Question
Rabobank
NL
Last activity: 9 Mar 2018 13:52 EST
How to make sure download of the log-files with direct URL requires authentication?
If you go to the Log landing page and open the Log Files, you can actually see a direct URL to log files. For example, the PegaRULES.log file can be downloaded using the following direct URL:
http://hostname/prweb/DiagnosticData?logType=PEGA&format=text
If you just type in this URL, it's also possible to download the log file without authentication (on a production system). This is at least also possible in Pega version 7.3.0.
According to this article https://pdn.pega.com/support-articles/pega-authentication-requirement-log-download , this seems to be an enhancement but we had a security finding on this.
Is there a way to configure this to make sure this authentication is used to download the log files? If not, any other recommendations to secure the log files?
Pegasystems Inc.
IN
Hi,
By default, DiagnosticData is mapped to pegadiagnosticuser role within the application server.
When a user accesses the url which has call to DiagnosticData servlet, then basic authentication popup comes and when enter the credentials of pegadiagnosticuser role, then only you will be able to access the resources.
See web.xml in prweb application(inside prweb/WEB-INF)
Here is the servet mapping(default)
Hi,
By default, DiagnosticData is mapped to pegadiagnosticuser role within the application server.
When a user accesses the url which has call to DiagnosticData servlet, then basic authentication popup comes and when enter the credentials of pegadiagnosticuser role, then only you will be able to access the resources.
See web.xml in prweb application(inside prweb/WEB-INF)
Here is the servet mapping(default)
Rabobank
NL
Hi Adithya,
thanks for you answer. I have some dependency in making the change, but once this is done I'll react how we configured it.