Enhancing Security in ActiveMatrix BPM

The following provides information about how to enhance security to prevent disclosure of sensitive information.

Preventing Caching on SSL Connections

By default, resources (client requests and server responses) for ActiveMatrix BPM applications are cached by the browser when SSL is enabled - that is, when the AMX BPM HTTP Connector has SSL enabled.

Caching of SSL is accomplished by adding the appropriate headers to resources: Cache-Control (for HTTP/1.1 implementations) and Pragma (for HTTP/1.0 implementations).

To tighten security, you can prevent SSL caching for ActiveMatrix BPM applications, by using the wr.isSSLCacheable substitution variable.

Note: Although it increases security, preventing caching can have a negative impact on performance.

If wr.isSSLCacheable is:

  • true (default) - SSL resources are cached. The following headers are added to resources when caching is enabled: 
    Cache-Control: max-age=604800,public
  • false - SSL resources are not cached. The following headers are added to resources when caching is disabled: 
    Cache-Control : no-cache, no-store, must-revalidate
Pragma : no-cache
Expires : 0

For information about adding and editing substitution variables, see Substitution Variables.

Configuring Which Resources are Cached

You can use the wr.nonCacheableExtensions substitution variable to exclude specific file extensions from being cached.

wr.nonCacheableExtensions specifies a comma-separated list of file extensions that will not be cached. For each extension listed, headers are set to disable caching. For all others, headers are set to enable caching. The default setting for this variable is .nocache.js.

Note: If SSL is enabled, the extensions listed in wr.nonCacheableExtensions are only not cached when SSL caching is also enabled (wr.isSSLCacheable is true).

If SSL is not enabled, the extensions listed in wr.nonCacheableExtensions are always not cached.

Malicious Script Injection into REST Service Requests

Malicious script can be injected into REST service requests. If an exception occurs, the malicious script is returned to the client as part of the response. (Also see the section below concerning malicious script injection into Application Development-related REST services.)

To prevent malicious script from being sent to the client, as well as Cross-Site Scripting (XSS) attacks, the following properties are available in the RESTServiceConfig.properties file (for more information about the RESTServiceConfig.properties file, see BPM Properties Files).

  • logStackTrace (default = true) - This determines if a stack trace is logged in the BPM log file when a REST exception occurs.
  • supressErrorMessages (default = false) - This determines if error messages are returned to the client when a REST exception occurs. When this is set to false, a generic message (which does not contain any details related to the error) is sent to the client instead of the error message.
  • logDocumentName (default = true) - This determines if the document name is shown in a failed upload request. This property can be set to false to help prevent XSS attacks. For instance, if the document name includes malicious content, such as a <script> tag, the script could be executed on the client. For example:

    https://localhost:8080/bpm/document/upload?caseReference=x&documentName="}<script>alert(document.domain)</script>{"

    Turning off document name logging can prevent this.

Malicious Script Injection into Application Development REST Services

Malicious script can be injected into Application Development REST services (that is, applications developed with Application Development using the objectAPI, business components, business component services). If an exception occurs, the malicious script is returned to the client as part of the response. (Also see the section above concerning malicious script injection into non-Application Development-related REST service requests.)

To prevent malicious script from being sent to the client, as well as Cross-Site Scripting (XSS) attacks, the following property is available in the appDev.properties file (for more information about the appDev.properties file, see BPM Properties Files).

  • supressErrorMessages (default = false) - This determines if error messages are returned to the client when a REST exception occurs. When this is set to false, a generic message (which does not contain any details related to the error) is sent to the client instead of the error message.

Suppressing a Stack Trace in a SOAP/HTTP Service

An option is provided to suppress a stack trace in the reply message from a SOAP/HTTP service. This can be used to prevent malicious script from being injected into a SOAP fault.

By default, a stack trace is included in the <detail> element of a SOAP fault, but can be suppressed by including a Java property in the node's TRA file, then restarting the node, as described below.

  1. Using a text editor, open the following file:

    CONFIG_HOME\tibcohost\Admin-ActiveMatrixEnterpriseName-ActiveMatrixServerName\nodes\BPMNode\bin\tibamx_BPMNode.tra

  2. Add the following Java property: 
    java.property.com.tibco.soapbt.spline.soapfaulttransformer.suppressstacktraceinsoapfault=true
  3. Save the file.
  4. Restart the node.