This content has been archived and is no longer being maintained.

Table of Contents

Article

Pega Web Mashup Data Security

In addition to the authentication of users and the access rights of authenticated users, you must consider the security of the data you plan to display in a mashup application.

Fields and Field Values

The system ensures that every clipboard property value it receives in an HTTP request corresponds to an input field previously sent in the HTML from the system. It maintains a list of expected properties for each thread. If it receives input for a field that is not included on the expected properties list, it ignores the value and writes an entry in the Alert log. (For information about the Alert log, see the Alerts Guide.

You must ensure that the application you develop validates the input for an expected property. For example, if there’s a list of possible values for the field, the application must verify that the value matches one on the list. Additionally, you must provide design elements that validate input based on context.

For example, if you have an account field, the system rejects invalid account numbers. But what if someone enters the account number of a valid account that doesn’t happen to be theirs? Your application must restrict user access to only those accounts that belong to them.

Take the time to assess every field you plan to make available in the application and ensure that appropriate restrictions and validation are in place. Configure your application to validate clipboard property values during input processing.

For example:

  • For single value, value list, and value group properties, specify the list of valid entries on the Table Edit tab of the property. Then use a cross browser HTML property to create a dropdown list or radio button list: PromptSelect, PromptRadioButtons, and PromptFieldValues. During input processing, the system validates input for the field against the list on the Table Edit tab.
  • Use an edit validate rule (Rule-Edit-Validate rule type) to provide Java code to test the validity of an input value for a property.
  • Use a constraints rule to define and enforce comparison relationships among property values. Constraints rules can provide an automatic form of property validation every time the property's value is "touched," in addition to the validation provided by the property rule or other means.

For example, to ensure that the input for an account field is not only valid but is valid for the person who provided it, you could use a constraints rule with a data page. For information, see Understanding data pages.

Published May 31, 2016 — Updated November 2, 2016


60% found this useful

Related Content

Have a question? Get answers now.

Visit the Pega Support Community to ask questions, engage in discussions, and help others.