My webMethods Server 10.5 | My webMethods Server Webhelp | My webMethods Server Portlet Reference | My webMethods Server Security | XSRF Security Configuration Portlet
 
XSRF Security Configuration Portlet
Portlet Title
XSRF Security Configuration
Portlet Name
wm_axsrftconfig
Portlet File Name
wm_axsrftconfig.pdp
Top-level Folder
admin
JSR168 Portlet?
No
Alias
/portlet/wm_axsrftconfig
Default Instances of the portlet
Administration Dashboard > Configuration > XSRF Security Configuration
Security. System administrators use this portlet to configure Cross-Site Request Forgery (XSRF) countermeasures for My webMethods Server. To combat XSRF, My webMethods Server requires a special token, called Anti-Cross-Site-Request-Forgery Token (AXSRFT), to be present on HTTP requests that invoke My webMethods Server actions, such as a request to delete a folder or change a user's profile information. My webMethods Server generates a unique token for each user, and periodically updates it, once a day by default. When you use the My webMethods Server user interface to perform actions that require an AXSRFT, the My webMethods Server user interface automatically supplies the correct token, so you do not need to do anything special for these actions when using the My webMethods Server user interface.
My webMethods Server ensures that an attacker cannot guess a user's AXSRFT by generating the token with a secret that only My webMethods Server knows. This secret is managed automatically by My webMethods Server; it re-generates a new secret periodically and retains a few recent old secrets to validate recent old tokens. You can configure the interval at which My webMethods Server generates new secrets by means of this portlet's "New Secret Interval" property, and you can configure the duration to retain old secrets by means of this portlet's "Oldest Secret" property. The default settings are to generate a new secret every day and to retain an old secret for two days, thus allowing a user who visited a page late one day to use that same page to invoke an action early the next day.
You can also configure a special whitelist of client IP addresses or hostnames from which HTTP requests are never checked for an AXSRFT. While this whitelist disables the My webMethods Server XSRF countermeasures when using the My webMethods Server user interface in a Web browser on those machines, it enables a system administrator to invoke My webMethods Server actions directly from those machines, without using the My webMethods Server user interface. This is useful, for example, if you have a script on a local machine that performs My webMethods Server actions by means of HTTP requests, such as a script that uploads system logs to My webMethods Server every day, or a script that runs performance tests against My webMethods Server. It may also be useful in an emergency if you need to invoke a My webMethods Server action, but cannot access the normal My webMethods Server user interface, for example, if you need to delete a My webMethods Server folder, but some unexpected error rendering the My webMethods Server user interface prevents you from invoking any actions on that folder from the user interface.
Properties
Oldest Secret (oldestSecret)
Required. Specifies the length of time to keep old AXSRFT secrets, in minutes. Keeping recent old secrets after a new AXSRFT secret has been generated allows users to continue to use My webMethods Server pages that were rendered before the latest AXSRFT secret was generated, so the value of this property should also be longer than the value of the "New Secret Interval" property. The default value is 2820 minutes, a little less than two days.
New Secret Interval (newSecretInterval)
Required. Specifies the interval between which My webMethods Server generates a new AXSRFT secret, in minutes. This secret is used to generate an unguessable anti-XSRF token for each user. The default values is 1440 minutes (1 day).
Whitelist (whitelist)
Provides a comma separated list of client IP addresses, IP address ranges, or hostnames for which to disable the My webMethods Server XSRF countermeasures. Specify an IP address range as the first IP in the range, a dash character, and the last IP in the range, such as "192.168.0.0-192.168.0.255". For example, a whitelist consisting of "localhost,10.1.0.1-10.1.0.4,pc1.private.corp.com" would disable the My webMethods Server XSRF countermeasures for HTTP connections from localhost (the server running My webMethods Server), 10.1.0.1, 10.1.0.2, 10.1.0.3, 10.1.0.4, and pc1.private.corp.com. If a value is not specified, the default value is empty, which means that the My webMethods Server XSRF countermeasures are enabled for all clients.