Application Integration (On-Premises) : DSPs and building output templates : Using Dynamic Server Pages (DSPs) : Securing DSPs : Securing DSPs Against CSRF Attacks
Securing DSPs Against CSRF Attacks
Integration Server adds CSRF secure tokens in DSPs dynamically thereby ensuring that the custom DSPs are secured against CSRF attacks.
However, Integration Server does not insert CSRF secure tokens in custom DSPs that use the JavaScripts Location object such as document.location and window.location.href. You must update these pages manually.
For example, if you have the following code in your custom DSP:
document.location="ldap-settings.dsp";
You must replace it with the following code:
if(is_csrf_guard_enabled && needToInsertToken) {
document.location="ldap-settings.dsp?"
+ _csrfTokenNm_ + "=" + _csrfTokenVal_;
} else {
document.location="ldap-settings.dsp";
}
You do not have to define the JavaScript variables _csrfTokenNm_, _csrfTokenVal_, is_csrf_guard_enabled, and needToInsertToken. But, you must import Integration Server_directory \packages\WmRoot\csrf-guard.js to your DSP before using these variables.
Integration Server inserts CSRF secure tokens in the links in DSPs only if these links point to a DSP. If these links do not point to a DSP, you must update these links manually to include the CSRF secure tokens.
For example, if you have the following code in your DSP:
<a href="/invoke/wm.sap.Transaction/viewAs?type=xml</a>
You must replace it with the following code:
<a href="/invoke/wm.sap.Transaction/viewAs?type=xml&secureCSRFToken=%value secureCSRFToken%"></a>
For more information about configuring CSRF guard in Integration Server, see webMethods Integration Server Administrator’s Guide.
Copyright © 2015- 2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback