Try OpenEdge Now
skip to main content
Server Administrator's Guide
Business Process Server web security : XSRF handler implementation

XSRF handler implementation

BP Server provides the default xsrf handler implementation using the com.savvion.sbm.websecurity.xsrf.impl.DefaultXSRFHandlerFactory class. This implementation can be replaced with the configuration exposed in the bmwebsecurity.conf file.
This default implementation generates an XSRF token (key, value pair) under each html form element that the portal server generates. The XSRF token is expected whenever a user submits the form from the browser. Upon successful evaluation of the XSRF token, the request is accepted for further processing by the portal server.
If there is no token found in the request, or an invalid token found in the request, then that user's session is invalidated, and forwarded to the login page with the message stating that "For security reasons, your session has been terminated. Please login again or contact administrator."
Note: The default XSRF implementation is applied for POST requests only. It does not evaluate the GET Requests and AJAX requests.
* XSRF configuration