Product: TIBCO Spotfire®
How to know if CSRF Protection is enabled or disabled by default?
CSRF Protection is enabled by default in TIBCO Spotfire Server but when we execute 'config-csrf-protection' command after exporting default configuration.xml file, it gives output as disabled
C:\tibco\tss\7.11.1\tomcat\bin>config export-config Tool password: Successfully exported the server configuration to file C:\tibco\tss\7.11.1\tomcat\bin\configuration.xml ------------------------------------------------------------------- ------------------------------------------------------------------- C:\tibco\tss\7.11.1\tomcat\bin>config config-csrf-protection The CSRF protection for the public Web Service API is disabled The CSRF protection for legacy SOAP clients is disabled
By using option specified in the resolution, you can know whether CSRF protection is actually enabled or disabled.
'config-xxx' commands by default shows current configurations for the documented properties in configuration.xml file. CSRF protection feature is not documented by default in configuration.xml file because CSRF protection is for security purpose and should not be touched in general. As it is not a documented property in configuration.xml file, output of 'config-csrf-protection' command shows it as disabled.
You need to use --verbose option in order to know whether CSRF Protection actually is enabled or disabled.
> config config-csrf-protection --verboseExample:
C:\tibco\tss\10.3.0\tomcat\spotfire-bin>config config-csrf-protection --verbose The CSRF protection is enabled The CSRF protection for SOAP services is enabled The CSRF protection for legacy SOAP clients is disabled Minimum client technical version that supports full CSRF protection: 21.0 Legacy SOAP services: UserDirectoryService.getPrincipal, UserDirectoryService.ge tGroupsRecursive, LoginService.login Unprotected SOAP services: LoginService.login
Doc: config-csrf-protection
Comments
0 comments
Article is closed for comments.