Security Fix - urlaccessmode with deny value (< env name="security/urlaccessmode" value="warn" / >).
We are trying to implement the URL tampering protection using one of the below four modes. The setting can be done either in prconfig or DSS defined under Pega-Engine (we have done this setting with ‘deny’ value).
<env name="security/urlaccessmode" value="warn" />
Valid values are:
- Allow – disable validation
- Deny – send an exception to the client and stop processing
- Warn - print log message when tamper detected but allow the action anyway
- AccessGroup - It is intended to provide a drop down to select the mode on Access Group rule. Nevertheless this is currently not available.
The problem we are facing is, if we set the “security/urlaccessmode” value=”deny”, then we are facing the below issue,
Issue: When we try to refresh an Alert by clicking on Refresh under Actions menu the Alert becomes inaccessible. All the buttons on UI freezes as unlockable, a loading icon appears and the only solution is to close the Alert and open it again (Attachment: InactiveAlertPage.PNG).
For this issue we had two SR’s SR-B54993 and SR-B77297 raised earlier.
Please suggest any other alternate approach is available to implement the urlaccessmode with deny value.
***Updated by moderator: Lochan to add SR Exists group tag***
Pegasystems Inc.
US
I would suggest re-opening the SR-B77297 to examine the issue you are encountering with the setting. The data for the scenario you are encountering will likely be needed and shouldn't be provided via this posting.