Table of Contents

Verifying requests at the application layer

Pega Platform™ protects access to information in your application by using role-based settings and access control policies.  Pega Platform provides additional request verification when you use autogenerated controls.  As a best practice, and to conform to platform guardrails, use autogenerated controls. You can manually configure custom (non-autogenerated) controls for increased security.

The article Verifying requests when using custom controls describes how to manually configure non-autogenerated controls.

You can verify requests at the application level by using three when rules, which are defined on @baseclass.  You can override these when rules in your application. The following table describes the when rules that are used to handle the application protection feature.  

When pySecureFeatures is false, no access checking is performed and the other two when rules are ignored.
When rule name Description Default value Behavior when true Behavior when false
pySecureFeatures Turns application level checking on or off True when (a) the portal is not Dev Studio, App Studio, or Admin Studio and (b) the client is not mobile or hybrid.   In other words, the access control check is not done when the client is using Dev Studio, App Studio, or Admin Studio, or the client is mobile or hybrid; the check is done everywhere else. Application level checking is on. When an access violation is found, a security alert is logged that says "Unregistered request encountered" (default behavior). Application level checking is off.
pyShowSecureFeatureWarnings Controls display of a warning to the end user False When an access violation is found and pyBlockUnregisteredRequests is false, a Pega warning is displayed to the user saying "URL tampering vulnerability detected." The access control warning is not displayed to the user (default behavior).
pyBlockUnregisteredRequests Controls the HTTP response False When an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden. The request is processed normally (default behavior).
As described in the table above, the default behavior of pyBlockUnregisteredRequests is to process unregistered requests, without issuing an HTTP error. This default allows your application to behave as expected while you work on configuring your custom controls as described in Verifying requests when using custom controls.  Once you have ensured that all of your custom controls have been configured, override pyBlockUnregisteredRequests so that it returns true and blocks unregistered requests.

 

 

 

Suggest Edit

Have a question? Get answers now.

Visit the Pega Support Community to ask questions, engage in discussions, and help others.