Try OpenEdge Now
skip to main content
Server Administrator's Guide
Business Process Server web security : Configuring web security
 

Configuring web security

Web security configuration is provided in the bmwebsecurity.conf file. This file is available at OEBPS_HOME/conf directory. Using this file you can enable or disable the individual components for configuring web security.
The following parameters are available in the bmwebsecurity.conf file.
Table 17. Configuring web security
Parameter
Description
websecurity.logger.factory
The implementation class name of the com.savvion.sbm.websecurity.common.api. IWebSecurityLoggerFactory.
This parameter allows you to change logger capability, for example do logging into database, or merge security logging with the rest of the system logging. The factory class has to implement interface IWebSecurityLoggerFactory and logger implementation has to interface IWebSecurityLogger. Both interfaces are defined in package com.savvion.sbm.websecurity.common.api.
websecurity.xss.enabled
This property enables or disables the XSS. The default value is false.
websecurity.xss.trace
Enables DEBUG logging into bmwebsecurity.log along with info messages, when set to true.
websecurity.xss. handler. defaultconfig
The default xss configuration to use when no configuration is explicitly provided to the xss filter. The configuration can be defined using the prefix "websecurity.xss.handler.config.<config-name>".
websecurity.xss. handler.config. default.handlerfactory
The implementation class name of the com.savvion.sbm.websecurity.xss.api.IXSSHandlerFactory for the configuration "default".
This parameter allows you to customize the business interface of the security filter. Handler implementation provides actual business of a security filter. Factory class has to implement  interface IHandlerFactory. The interface gets extended to a concrete interface specific to the type of handler used in a particular type of security filter. This interface is IXSSHandlerFactory for XSS filter. Concrete implementation of XSS handler has to implement interface IXSSHandler. All the XSS filter specific interfaces defined in package com.savvion.sbm.websecurity.xss.api.
Note: It is recommended not to modify the default handler values.
websecurity.xss.handler. config.default. configfile
The XSS config file location for "default" configuration.
websecurity.xsrf.enabled
Enables the XSRF checking when set to true
websecurity.xsrf.trace
Enables DEBUG logging into bmwebsecurity.log along with info messages, when set to true.
websecurity.xsrf. handler.defaultconfig
The default xsrf configuration to use when no configuration is explicitly provided to the xsrf filter. The configuration can be defined using the prefix websecurity.xsrf.handler.config.<config-name>.
websecurity.xsrf.handler. config.default .handlerfactory
The implementation class name of the com.savvion.sbm.websecurity.xsrf.impl. DefaultXSRFHandlerFactory the configuration default.
This parameter allows you to redefine XSRF filter business implementation.  Handler mechanism is similar to XSS filter. Interfaces names are IXSRFHandler for handler and IXSRFHandlerFactory for its factory. Package name is com.savvion.sbm.websecurity.xsrf.api.
Note: It is recommended not to modify the default handler values.
websecurity.xsrf.handler. config.default.configfile
The XSRF config file location for default configuration.
The following parameters are available in the bpmportal.conf file. This file is available at OEBPS_HOME/conf directory.
Table 18. Configuring web security in Portal
Parameter
Description
oebps.front.host
Value for this parameter is a comma separated list of hosts which are exposed to access the system. See Setting up oebps.front.host parameter for more information. This parameter value has to be changed after the installation of the system.
Important: This parameter does not appear in config file by default. You have to add this while enabling ref filter.
bpmportal.post. sensitive.parameters
If set to true, this enables POST HTTP requests for sensitive parameters passed from BP Server to BPM WebFlow or from BPM WebFlow to another BPM WebFlow Subprocess. The default value for this parameter is false.
* Logger factory class name
* XSS configuration for web security
* XSRF configuration for web security