BPM, Workflow, and Case

 View Only

  • 1.  Adding to allowed list against CSRF protection not working

    Posted Thu November 04, 2021 08:48 AM
    Edited by Stephanie Wilkerson Thu June 23, 2022 06:24 PM

    Hi guys:

      Since the CSRF protection is enabled on a BAW sever,  it's failed to access Portal process link embed in email content that always get an error as:

    "HTTP request to was blocked by CSRF Filtering"

    I try to add the host of email service (https://xxx.xx.com) to the allowed list in order to fix this. But it's still not working.

    May you guys help to advise? Tks!



    ------------------------------
    Eddie J
    ------------------------------


  • 2.  RE: Adding to allowed list against CSRF protection not working
    Best Answer

    Posted Fri November 05, 2021 05:23 AM

    Hi Eddi,
    when you read https://www.ibm.com/docs/en/baw/20.x?topic=environment-security-hardening-properties carefully, it says for Security.CsrfProtectionRefererWhitelist 

    The value of this property must be a comma-separated list of fully qualified host names that are valid values for the Referer header field. By restricting values to host names that serve user interfaces for Business Automation Workflow, you can mitigate CSRF. For more information about the Referer header field, see the Request for Comments (RFC) 7231 documentation.

    The sample uses a hostname without protocol scheme, too:
    AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.CsrfProtectionRefererWhitelist', '-value', 'fmtc4090.boeblingen.de.ibm.com'])

    In doubt, enable trace for com.ibm.bpm.servlet.filters.*=all to see the exact header value that the system was unhappy with.



    ------------------------------
    Jens Engelke
    ------------------------------

    Original Message


  • 3.  RE: Adding to allowed list against CSRF protection not working

    Posted Sun November 07, 2021 08:25 PM

    Hi Jens,

       Tks for ur replay.  That's correct.  It's worked this by removing the scheme.



    ------------------------------
    Eddie J
    ------------------------------

    Original Message


  • 4.  RE: Adding to allowed list against CSRF protection not working

    Posted Fri June 24, 2022 02:53 AM
    Hi Eddie,

    there are multiple approaches to CSRF protection implemented in BAW. In your case, my guess it is an allow-list for possible values of the Referer header. See Security-hardening properties (Security.CsrfProtectionRefererWhitelist)

    Note that the whitelisting relates to hostnames (without port), not URLs.

    To know for sure, enable trace for 
    *=info:com.ibm.bpm.servlet.filters.*=all​

    You should see a log message about the request being blocked and right before that in the same thread you should see the exact header coming in passed to a method isValidReferrerHeader

    You can also try to copy the URL from the email into your browser as a temporary work-around. This should cause an empty Referer header, which is acceptable.

    HTH

    Jens



    ------------------------------
    Jens Engelke
    ------------------------------

    Original Message


  • 5.  RE: Adding to allowed list against CSRF protection not working

    Posted Fri June 24, 2022 05:12 AM

    FYI.

     

    Best regards
    -----------------------------------------
    Jin Hui (    Eddie)
    IBM Dalian Global Delivery Company Limited
    No.18 Software Park Road, Building No. 9, Dalian
    Email: jinhdl@cn.ibm.com

     




    Original Message