Security. System administrators use this portlet to configure Cross-Site Request Forgery (XSRF) countermeasures for My webMethods Server. To combat XSRF, My webMethods Server requires a special token, called Anti-Cross-Site-Request-Forgery Token (AXSRFT), to be present on HTTP requests that invoke My webMethods Server actions, such as a request to delete a folder or change a user's profile information. My webMethods Server generates a unique token for each user, and periodically updates it, once a day by default. When you use the My webMethods Server user interface to perform actions that require an AXSRFT, the My webMethods Server user interface automatically supplies the correct token, so you do not need to do anything special for these actions when using the My webMethods Server user interface.

My webMethods Server ensures that an attacker cannot guess a user's AXSRFT by generating the token with a secret that only My webMethods Server knows. This secret is managed automatically by My webMethods Server; it re-generates a new secret periodically and retains a few recent old secrets to validate recent old tokens. You can configure the interval at which My webMethods Server generates new secrets by means of this portlet's "New Secret Interval" property, and you can configure the duration to retain old secrets by means of this portlet's "Oldest Secret" property. The default settings are to generate a new secret every day and to retain an old secret for two days, thus allowing a user who visited a page late one day to use that same page to invoke an action early the next day.

You can also configure a special whitelist of client IP addresses or hostnames from which HTTP requests are never checked for an AXSRFT. While this whitelist disables the My webMethods Server XSRF countermeasures when using the My webMethods Server user interface in a Web browser on those machines, it enables a system administrator to invoke My webMethods Server actions directly from those machines, without using the My webMethods Server user interface. This is useful, for example, if you have a script on a local machine that performs My webMethods Server actions by means of HTTP requests, such as a script that uploads system logs to My webMethods Server every day, or a script that runs performance tests against My webMethods Server. It may also be useful in an emergency if you need to invoke a My webMethods Server action, but cannot access the normal My webMethods Server user interface, for example, if you need to delete a My webMethods Server folder, but some unexpected error rendering the My webMethods Server user interface prevents you from invoking any actions on that folder from the user interface.