Support Article
URLAccessModeWarn:URLAccessPermitted warning in logs
SA-21378
Summary
Pega 7.1.9 users see a warning in the logs when creating a new work object.
Following the solution documented in SA-18009 (for Pega 7.1.8),
https://pdn.pega.com/support-articles/csrfattack-warning-message-repeats-pegarules-logfile, the users specified the Dynamic System Setting (DSS) prconfig/security/urlaccessmode Value=allow, but the warning persists.
Error Messages
2016-03-12 11:39:22,299 [ tomcat-http--3] [TABTHREAD7] [ ] [ Application] ( mgmt.util.URLAccessContext) WARN ,<ip1>|<ip2>- URLAccessModeWarn:URLAccessPermitted URLAccessDetail ActionTampered Actual Fixed Param-Value : key=<key1> Expected Param-Value : key=<key2>
Steps to Reproduce
- Create a new work object.
- Observe the warning in the log.
- Check to ensure that the Pega-Engine DSS is specified as prconfig/security/urlaccessmode Value=allow.
- Observe that the warning persists in the log.
Root Cause
A software use or operation error
Resolution
Here’s the explanation for the reported behavior:
The DSS was specified incorrectly because it did not include /default in the Setting Purpose.
The Pega-Engine DSS Setting Purpose should be specified as prconfig/security/urlaccessmode/default with the value as Allow.
Owning Ruleset : Pega-Engine
Setting Purpose : security/urlaccessmode/default
Value : Allow
Setting Purpose : security/urlaccessmode/default
Value : Allow
Restart the server for this change to take effect.
Related Content
https://pdn.pega.com/secu0008-alert-cross-site-forgery-attack-detected-and-blocked/secu0008-alert-cross-site-forgery
https://pdn.pega.com/configuring-csrf-protection/configuring-csrf-protection
Published July 5, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.