Question
Cognizant
CH
Last activity: 14 Aug 2019 14:14 EDT
Why the URL parameters get encrypted in Pega 8? (?pzuiactionzzz=...)
Hi,
We are upgrading a Pega application from version 7 to version 8.
There are some functionalities for that we need to call a specific URL and then extract a part of the URL using JavaScript.
For the sake of simplicity let's take this URL as it is available in all Pega installations (gets the Mashup script): http://[our domain]/prweb?pyActivity=pzIncludeMashupScripts
And the tasks is to fetch the Activity name using JavaScript (here: "pzIncludeMashupScripts").
In Pega 7 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pyActivity=pzIncludeMashupScripts
That's fine, we still have the Activity name ("pzIncludeMashupScripts") in it and it can be parsed.
However in Pega 8 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=CXtpbn1jaW1RV1hLOEoyeVdRaEtra05SQTdzOGFvbEVJRXMrdE1EMm9yaVhFZ2lBRXZ4TlFEVEdH%0AbmN5Sk1HNWVLV1NZ*
It seems that the pzuiactionzzz parameter contains some kind of hashed value of the previous parameters.
This is not good for us, as the Activity name is no longer in the URL - it cannot be extracted using JavaScript.
I found some articles which seem to be related:
Hi,
We are upgrading a Pega application from version 7 to version 8.
There are some functionalities for that we need to call a specific URL and then extract a part of the URL using JavaScript.
For the sake of simplicity let's take this URL as it is available in all Pega installations (gets the Mashup script): http://[our domain]/prweb?pyActivity=pzIncludeMashupScripts
And the tasks is to fetch the Activity name using JavaScript (here: "pzIncludeMashupScripts").
In Pega 7 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pyActivity=pzIncludeMashupScripts
That's fine, we still have the Activity name ("pzIncludeMashupScripts") in it and it can be parsed.
However in Pega 8 the URL becomes: http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=CXtpbn1jaW1RV1hLOEoyeVdRaEtra05SQTdzOGFvbEVJRXMrdE1EMm9yaVhFZ2lBRXZ4TlFEVEdH%0AbmN5Sk1HNWVLV1NZ*
It seems that the pzuiactionzzz parameter contains some kind of hashed value of the previous parameters.
This is not good for us, as the Activity name is no longer in the URL - it cannot be extracted using JavaScript.
I found some articles which seem to be related:
- https://community.pega.com/support/support-articles/pega-web-mashup-does-not-load-enabling-url-encryption
- https://community.pega.com/support/support-articles/mashup-urlencryption-pega-platform-74
- https://community.pega.com/knowledgebase/articles/security-settings-prconfigxml-file
So according to the above articles I disabled URL encryption:
Pega-Engine • prconfig/initialization/urlencryption/default: false
Pega-Engine • prconfig/initialization/submitobfuscatedurl/default: optional
But still, the URL parametes get transformed into the ?pzuiactionzzz=... hashed form.
I even tried using the URL Mappings rule, but the "nice URL" was transformed to ?pzuiactionzzz=... as well.
My goal here is to understand what's going on, why it has changed it Pega 8.
From security perspective it's very good that the URL parameters are encrypted, and I guess, we will need to find a better solution than parsing the URL using JavaScript.
So the question is not how to solve this particular problem, but rather to have a general understanding.
Could you please provide some documentation about what is behind this mechanism?
How does the URL encryption work, and is it really connected to that ?pzuiactionzzz=... parameter?
How is the hash calculated for ?pzuiactionzzz=...?
Best regards,
Attila
***Edited by Moderator Marissa to update platform capability tags****
Charles Schwab & Company Inc
US
Hello Kevin,
Request you to please help me with a reply from the SME if possible soon as I am in need of implementing a solution as POC more details you can find in the below link.
https://collaborate.pega.com/question/pega-web-mashup-and-url-encryption
Thank you.
Pegasystems
IN
Hi Attila, you are right, the changes to the URL parameters are for security reasons.
We advise developers to rely on server side logic in activities to do the parsing of the parameters.
Cognizant
CH
Hi Srikanth,
Thank you for your answer.
Does this functionality have something to do with the initialization/urlencryption and initialization/submitobfuscatedurl system settings or is it something completely different?
Charles Schwab & Company Inc
US
Hello AttilaDonath,
I was going thru your post and thought my post is some where related can you please guide me with some points on my below post. Thanks.
https://collaborate.pega.com/question/pega-web-mashup-and-url-encryption
Cognizant
CH
Hello,
At the end we solved the issue with a different approach, so unfortunately I cannot give you any hints on the SubmitObfuscatedURL parameter.
Charles Schwab & Company Inc
US
Hello Attila,
Thanks for the reply so if its ok by you to share can you please let me know the approach you tried as even I am doing a POC around to make it work.
If its not feasible to share here it works no issues. Thanks.
Cognizant
CH
Hello Kapil,
My task was just to add a value to the URL which can be parsed using JavaScript - on a development system. So finally I added the data to the URL after a # (fragment identifier) as a workaround (e.g. http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=[long hash]#myparam=1). On the production system we used another solution (which I cannot describe, it was done by a colleague). My solution was just for quick testing during development.
After reading your post I guess you would like to enhance security, so I don't think this helps for you, but that's what I could share. :-)
Hello Kapil,
My task was just to add a value to the URL which can be parsed using JavaScript - on a development system. So finally I added the data to the URL after a # (fragment identifier) as a workaround (e.g. http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=[long hash]#myparam=1). On the production system we used another solution (which I cannot describe, it was done by a colleague). My solution was just for quick testing during development.
After reading your post I guess you would like to enhance security, so I don't think this helps for you, but that's what I could share. :-)
However I think if you want to pass data from an external application to the Pega Mashup, the Pega URL encryption doesn't matter. As I understand you have an account ID in Salesforce and you want to pass it to the mashup. For this you can use the data-pega-action-param-parameters parameter, see: https://community.pega.com/knowledgebase/pega-web-mashup-attribute-reference and https://collaborate.pega.com/question/difference-between-some-pega-mashup-attributes. Now how to secure this is another question. In general I would say you should use HTTPS and then the communication is secured. If you want to hide the account ID even from the HTML markup generated on the Salesforce side, you can use a custom encryption mechanism.
Charles Schwab & Company Inc
US
Thanks Attila,
Actually i have implemented the mashup code, requirement was to display search screen when user click a link in salesforce which will pass accnt# its coming well.
Now next step is to encrypt the account# in the url so i started the search on pdn for the help .
1> Can you please describe more on the below if feasible how u achieved it:
So finally I added the data to the URL after a # (fragment identifier) as a workaround (e.g. http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=[long hash]#myparam=1).
for example below is my sample code snippet hiding all the sensitive info:
============
Thanks Attila,
Actually i have implemented the mashup code, requirement was to display search screen when user click a link in salesforce which will pass accnt# its coming well.
Now next step is to encrypt the account# in the url so i started the search on pdn for the help .
1> Can you please describe more on the below if feasible how u achieved it:
So finally I added the data to the URL after a # (fragment identifier) as a workaround (e.g. http://[our domain]/prweb/[ruleset stack hash]/!STANDARD?pzuiactionzzz=[long hash]#myparam=1).
for example below is my sample code snippet hiding all the sensitive info:
============
<script src ='https://some url/prweb/sso?pyActivity=pzIncludeMashupScripts'>
pega.web.config.systemID = "https://some url/prweb/sso/";
pega.web.config.appName = "<app name>";
</script>
<div data-pega-gadgetname ='PegaGadget'
data-pega-action= 'display'
data-pega-action-param-harnessname ='harness name'
data-pega-action-param-classname ='Data-Portal'
data-pega-action-param-model =''
data-pega-action-param-readonly ='false'
data-pega-isdeferloaded ='false'
data-pega-applicationname ='app name'
data-pega-threadname ='Thread1'
data-pega-resizetype ='default'
data-pega-url ='https://some url/prweb/sso'
data-pega-action-param-parameters="{pzSkinName:'skin name'}"></div>
==========
2> Even i got a link in pdn may be related with my topic of encryption can u give your points if time permits currently my POC is on a pega sandbox server and salesforce sanbox server in future once successful it will be rolled over to production.
https://community.pega.com/support/support-articles/mashup-urlencryption-pega-platform-74
3> Regarding HTML custom encryption mechanism that i will try later as an objective of poc.
Thank you.
Cognizant
CH
1> It was an URL generated by Pega. I simply concatenated "#myparam=1" to the URL string, e.g. url = url + "#myparam=1".
2> If I understand correctly, your process starts from Salesforce, that generates the link, e.g.: https://[site which contains the mashup]?accountID=xx. Up to this point, Pega is not involved at all. The URLEncryption Pega setting is only important when an URL is generated by Pega.
Charles Schwab & Company Inc
US
Hello Srikanth,
Request you to please help me with a reply from the SME if possible soon as I am in need of implementing a solution as POC more details you can find in the below link.
https://collaborate.pega.com/question/pega-web-mashup-and-url-encryption
Thank you.