Hi Eddie,
there are multiple approaches to CSRF protection implemented in BAW. In your case, my guess it is an allow-list for possible values of the Referer header. See
Security-hardening properties (Security.CsrfProtectionRefererWhitelist)
Note that the whitelisting relates to hostnames (without port), not URLs.
To know for sure, enable trace for
*=info:com.ibm.bpm.servlet.filters.*=all
You should see a log message about the request being blocked and right before that in the same thread you should see the exact header coming in passed to a method isValidReferrerHeader
You can also try to copy the URL from the email into your browser as a temporary work-around. This should cause an empty Referer header, which is acceptable.
HTH
Jens
------------------------------
Jens Engelke
------------------------------
Original Message:
Sent: Thu November 04, 2021 02:06 AM
From: Eddie J
Subject: Adding to allowed list against CSRF protection not working
Hi guys:
Since the CSRF protection is enabled on a BAW sever, it's failed to access Portal process link embed in email content that always get an error as:
"HTTP request to was blocked by CSRF Filtering"
I try to add the host of email service (https://xxx.xx.com) to the allowed list in order to fix this. But it's still not working.
May you guys help to advise? Tks!
------------------------------
Eddie J
------------------------------