How to implement HTTP Request Header verification
For enhanced security, MainView Middleware Administrator (MVMA) by default implements HTTP Request Header verification, validating the requester from the X-Requested-With header.
By default, applications interacting with the MVMA web interface MUST set a non-empty value for this header when sending an HTTP request to MVMA after successful login.
While the MVMA web interface and the MVMA JavaScript API support this header, other applications such as TrueSight Middleware and Transaction Monitor 8.1 or MainView for MQ (from version 5.4), or custom applications using the MVMA REST API not through the JavaScript API but through a different web client (such as curl), may not work out-of-the-box.
There are two alternative options to enable applications to interact with the MVMA web interface:
- Modify the application to pass a non-empty value with the X-Requested-With header with every request sent.
- Disable request header verification within MVMA (not recommended).
For example, to enable a custom application using curl to interact with MVMA through its REST API, change the curl command to send the affected X-Requested-With header with any non-empty value, such as, for example, MyApp.
curl --insecure -b cookies.txt --header "Content-Type:application/json" --header "X-Requested-With:MyApp" https://quicksilver.bmc.com:8443/bmmadmin/admin/projects
The identifier used with the header may be any string not containing whitespaces or commas.
MVMA uses different identifiers depending on its underlying component:
MVMA Component | X-Requested-With | Used by |
Web UI (from within the browser) | XMLHttpRequest | Browsers (e.g. Internet Explorer, Firefox, Chrome) |
MVMA JavaScript API | TSMAJavaScriptAPI | Custom applications using the MVMA JavaScript API |
MVMA Java API | TSMAJavaAPI | BMC applications such as TrueSight Middleware and Transaction Monitor (from version 8.1.00) |
While these identifiers are not strictly reserved, custom applications are recommended to use their own identifiers.
MVMA supports whitelisting for these identifiers to allow customers to better control access to the MVMA web application by setting the system property com.bmc.mmadmin.ValidXRequesters to a comma separated list of identifiers that should be able to able to access MVMA by the identifier they set with the X-Requested-With header.
To configure a whitelist of requester identifiers with MVMA
- Stop MVMA services.
- Open the wrapper.conf in the configuration sub-folder of the MVMA installation directory.
- Add an entry
wrapper.java.additional.NN=-Dcom.bmc.mmadmin.ValidXRequesters=<whitelist>
whereNN
is the highest number of the current entries of this type increased by one and<whitelist>
is the comma separated list of accepted header identifiers. Make sure to include the identifiers used by the MVMA components to ensure you do not lock out using MVMA through a browser or through a custom application using the MVMA JavaScript API.
For example:wrapper.java.additional.22=-Dcom.bmc.mmadmin.ValidXRequesters=XMLHttpRequest,TSMAJavaScriptAPI,TSMAJavaAPI,MyApp
- Save your changes to wrapper.conf.
- Restart MVMAservices.
While adjusting a custom application relying on the JavaScript API of an earlier version may be as easy as pointing it to the MVMA JavaScript API it may be more difficult for custom applications using another web client or may even be impossible for other products integrating with MVMA such as TrueSight Middleware and Transaction Monitor (from version 8.1.00) or MainView for MQ (from version 5.4).
To enable these applications to interact with MVMA, request header verification can optionally be disabled by setting the system property com.bmc.mmadmin.CheckRequester to false
. This can be temporarily useful to enable existing applications to work with MVMA until a solution providing the required support of request headers is implemented.
To disable HTTP request header verification within MVMA
- Stop MVMA services.
- Open the wrapper.conf in the configuration sub-folder of the MVMA installation directory.
- Add an entry
wrapper.java.additional.NN=-Dcom.bmc.mmadmin.CheckRequester=false
whereNN
is the highest number of the current entries of this type increased by one and<whitelist>
is the comma separated list of accepted header identifiers. Make sure to include the identifiers used by the MVMA components to ensure you do not lock out using MVMA through a browser or through a custom application using the MVMA JavaScript API.
For example:wrapper.java.additional.22=-Dcom.bmc.mmadmin.CheckRequester=false
- Save your changes to wrapper.conf.
- Restart MVMA services.
Comments
Log in or register to comment.