Administer > System security > Tokenization

Tokenization

As of version 9.32, the Service Manager web tier has tokenization enabled by default. Enabling tokenization helps safeguard sensitive data. When tokenization is enabled, the web tier appends a token to URLs and checks requested URLs that contain any predefined actions or match any predefined patterns to see if they have the token appended; if the token is not found, the web tier returns an error.

Administrators can also disable this feature by turning off a parameter in the web tier configuration file (web.xml).

Related parameters

Three web.xml parameters are used for tokenization (see the following table). Out-of-the-box, the simpleURLs and patterns parameters are not present in the web.xml file. If you do not add them, their default values take effect.

Note To enable tokenization, enabling the antiCSRFEnabled parameter is enough. Adding the other parameters is not necessary unless you need to change their values from the default ones.

Parameter Name Parameter Value Default Value Description
antiCSRFEnabled true or false true Set it to true to enable token validation or false to disable the feature.
simpleURLs A list of comma-separated servlet actions that a URL can contain. <![CDATA[service.do, detail.do, list.do, mashup.do, frames.do, printList.do, printDetail.do, uim.do, nav.menu, wf, ce, cm, /upload, /imageupload, /attachmentupload, /uniqueupload]]>

This parameter takes effect only when antiCSRFEnabled is set to true. If a requested URL contains any of the listed actions and also has no token appended, the SM web tier returns a 403 error.

When antiCSRFEnabled is set to false, the web tier neither checks for a token in the requested URLs, nor appends a token to any URLs.

Note HPE recommends that you use the default list. If needed, you can remove actions from the default list, but cannot add new ones.

Note Token validation is skipped for the following actions: index.do, ess.do, accessible.do, and accessible_ess.do.

patterns A comma separated list of patterns <![CDATA[attachments/, /download/, /colla/api/]]>

This parameter takes effect only when antiCSRFEnabled is set to true, and is ignored when the simpleURLs validation has passed.

If a requested URL matches any of the listed patterns, the web tier performs token validation on it.

Note HPE recommends that you use the default list. If you want, you can remove a pattern from the default list, but cannot add new ones.

Enable or disable tokenization in the web client

By default, tokenization is enabled in the web client. You can customize the tokenization settings or disable tokenization.

To customize tokenization settings:

  1. In the web.xml file, locate the following filter and check that antiCSRFEnabled is set to true:

    <filter>    
        <filter-name>antiCSRFFilter</filter-name>
        <filter-class>com.hp.ov.web.csrf.AntiCSRFFilter</filter-class>
        <init-param>
            <param-name>antiCSRFEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
  2. Add the other two parameters if you want to assign them a custom value.

    Note HPE recommends that you use the default values for the two parameters; however, you are allowed to remove values from the default action/pattern list, but you cannot add new ones.

    Tip Ignore this step if you want to use the default values.

    You should add the parameters as shown in the following.

    <filter>    
        <filter-name>antiCSRFFilter</filter-name>
        <filter-class>com.hp.ov.web.csrf.AntiCSRFFilter</filter-class>
        <init-param>
            <param-name>antiCSRFEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>simpleURLs</param-name>
            <param-value><your custom URL action list></param-value>
        </init-param>
        <init-param>
            <param-name>patterns</param-name>
            <param-value><your custom pattern list></param-value>
        </init-param>
    </filter>
  3. Save the web.xml file.
  4. If you want to disable tokenization, set antiCSRFEnabled to false.
  5. Restart your web application server.

To disable tokenization:

  1. Set antiCSRFEnabled to false.
  2. Save the web.xml file.
  3. Restart your web application server.