IBM Support

Configuring Cross-Site Request Forgery (CSRF) protection in IBM Business Process Manager (BPM)

Troubleshooting


Problem

IBM Business Process Manager provides a configuration option to enable CSRF protection, which is off by default. As a result, security testing using tools such as AppScan might identify CSRF vulnerabilities.

Symptom

The information contained in this document has been moved to developerWorks Answers located here. This technote will be archived in 60 days. Please bookmark the new location.

A Cross-Site Request Forgery attack uses HTML and/or Java™Script on one site to trick a user's browser into sending a request to another site. The user's browser will send all cookies applicable to the target site along with the forged request.

Resolving The Problem

IBM Business Process Manager V7.5.1 Fix Pack 2, V8.0.1 Fix Pack 3, V8.5.0 Fix Pack 1 and V8.5.5.0 introduced a CSRF protection feature that validates the HTTP REFERER header.

This feature can be enabled by setting a JVM custom property listing the acceptable values for the HTTP REFERER header. If the header is not empty and contains a value that is no explicitly allowlisted, the request will be rejected with HTTP 403 (forbidden) and a severe message will be written to the log file: "HTTP request to was blocked by CSRF Filtering"

You need to set this on every application server in your environment by following the steps below:

  1. On the administrative console, navigate to Servers > Server Types > WebSphere application servers
  2. Click the server name, then navigate to Java and Process management > Process definition > Java Virtual Machine > Custom properties
  3. Add a new custom property by clicking New... and enter the following values:
    Name: com.ibm.bpm.security.csrffilter.allowlist.Referer
    Value: <comma separated list of acceptable hostnames or domains>
    Description: allowlist of acceptable REFERER header values
  4. Click OK, then Save the changes in the administrative console
  5. Repeat the steps above for every server
  6. Restart the servers to activate the changed value

Alternatively, you can run the steps below in wsadmin to add the value to your environment. You will need to adapt the highlighted parts to your system:

server = AdminConfig.getid("/Cell:PCCell1/Node:Node1/Server:server1/")
jvm = AdminConfig.list('JavaVirtualMachine',server).split()[0]
attr_name  = ['name', "com.ibm.bpm.security.csrffilter.allowlist.Referer"]
attr_value = ['value', "hostname.com"]
attr_required = ['required', "false"]
attr_description = ['description', "allowlist of acceptable REFERER header values"]
attr_list = [attr_name, attr_value, attr_required, attr_description]
property=['systemProperties',[attr_list]]
AdminConfig.modify(jvm, [property])
AdminConfig.save()



For version 8.5.6 we have simplified the configuration:

AdminTask.setBPMProperty(['-de', 'De1', '-name', 'ProcessServer.CsrfProtectionRefererallowlist', '-value', 'hostname.com'])

Where De1 is the name of your deployment environment and hostname.com is the comma-separated list of allowlisted REFERER headers. This is set just once on the Deployment Manager on the DE level, and is no longer be set per JVM.

[{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.7;8.5.6;8.5.5;8.5.0.1;8.0.1.3;7.5.1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"},{"code":"","label":"Linux zSeries"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5.0.1;8.0.1.3;7.5.1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"","label":"Linux zSeries"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5.0.1;8.0.1.3;7.5.1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21690792

Page Feedback