Section | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
is a multi-tenant application. See the administration section on Manage Tenants. However, it is possible that all you need is a single tenant. If this is your case, it simplifies the server login if you default the @<tenantname> so the user only needs to enter their username to login. Customers who default the tenant login normally would also customize the placeholder on the login screen. Please read that topic for details.
- Stop Live Forms if it is running.
- Navigate to the <frevvo-home>\tomcat\conf directory
- Open the frevvo-config.properties file with a text editor.
Add the frevvo.default.login.tenant.id property to the <frevvo-home>\tomcat\conf\frevvo-config.properties file and set the param-value to the name of your one tenant.
Code Block title frevvo-config.properties frevvo.default.login.tenant.id=<your_tenant_id>
- Save the file
- Restart .
...
Note |
---|
|
...
no longer supports the web.xml parameters for frevvo.xforwarded.protocol.header, frevvo.xforwarded.host.header, and frevvo.xforwarded.port.headers. The general recommendation is to rely on the Servlet Container for handling dynamic proxies. A better approach is to use tomcat's RemoteIp Valve instead. Please see this documentation on the Apache Tomcat website for information about the RemoteIp valve functionality. This tomcat valve has been incorporated into our tomcat bundle.
Code Block |
---|
<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies=".*" remoteIpHeader="x-forwarded-for" proxiesHeader ="x-forwarded-by" protocolHeader="x-forwarded-proto" /> |
...
Skew error when logging into an Azure SAML tenant
Users logging into a Azure SAML tenant may encounter the error "Access Denied. Authorization Required". Examination of the frevvo.log shows the following entry:
Code Block |
---|
Response issue time is either too old or with date in the future, skew 60, time 2016-06-01T05:49:25.330Z |
This error is typically caused by a clock synchronization issue between the Service Provider (frevvo) and the Identity Provider (Azure) or a genuine delay in the connection. If you get this error, adding the com.frevvo.security.saml.response.skew property can be used to specify the time in seconds allowed between the request and the response from Azure to a value greater than the default value of 60 seocnds.
Follow these steps:
- Stop Live Forms if it is running.
- Navigate to <frevvo-home>\tomcat\conf
- Open the frevvo-config.properties file with a text editor.
Add the parameter shown below with a value greater than the default value of 60 seconds. The example shown increases the timer to 120 seconds.
Code Block com.frevvo.security.saml.response.skew=120
Save the file.
- Restart .
- Retry the login.
...
Changing the Default Task Notification Email Message
If you want to change the default subject and body of the task notification email for your server, add these properties to the frevvo-config.properties file.
Code Block |
---|
frevvo.task.notification.email.subject=New task frevvo.task.notification.email.message=You can access your task list by clicking <a href="{task.perform.url}">this link</a> |
Change the value in this parameter to anything you want. The task.perform.url template {task.perform.url} is a built-in template in and it will always point to the specific task. Refer to the Task Notification Email Link topic for some other options. If you wrap the templates in an HTML <a> tag, it will generate a clickable link in the email.
If you do not want the link in your task notification emails to go there, you can remove it. The default message can include form control templates.
Security Vulnerabilities
The following security vulnerablities have been addressed as follows:
- Information Disclosure - resolved with the tomcat upgrade to version 8.5.16
- Man in the middle - This has to do with executing the CGI Servlet. This servlet is disabled in the frevvo Apache tomcat distribution. Customers who choose to enable the servlet are responsible for ensuring security viz. adding filter etc.
Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:
Code Block <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
X-Frame-Options Header Not Set - Resolved by modification at the tomcat level. In-house customers can uncomment the HttpHeaderSecurityFilter provided in the tomcat web.xml. The filter is documented here. Specify the appropriate X-Frame-Options value in the antiClickJackingOption parameter - (SAMEORIGIN or ALLOW-FROM).
Warning Setting this parameter to SAMEORIGIN may interfere when embedding frevvo forms/flows in your website. Use ALLOWUse ALLOW-FROM instead. Click the appropriate link below for filter examples.
Code Block title Example of filter with SAMEORIGIN collapse true <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Code Block theme Confluence title Example of filter with ALLOW-FROM for embedded forms collapse true <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value> http://example.com:80/*</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
- Admin user name exposure in URLs - Resolved by the feature to not expose the user id in URLs.
- Tomcat 'Ghostcat' bug (affects through v9.0.10.) The frevvo Apache Tomcat will be upgraded in a future release. To address this vulnerability in the versions listed, please use the solution listed in this article.
...