Secret token validation

We can configure WebSEAL to require that certain management operation requests include a secret token. WebSEAL uses the secret token in the received request to validate its authenticity. Secret token validation affects the following WebSEAL management pages:

Use the enable-secret-token-validation configuration entry in the [acnt-mgt] stanza to enable secret token validation. By default, enable-secret-token-validation is set to false, which disables secret token validation.

If we want WebSEAL to use secret token validation, set this entry to true:

When secret token validation is enabled, WebSEAL adds a token to each session and validates the "token" query argument for these account management requests. For example, the request to /pkmslogout changes to...

...where <value> is the unique session token.

This setting modifies the URLs for these WebSEAL management pages. Each of the affected management requests must contain a "token" argument with the current session token. For example,

If secret token validation is enabled and the token argument is missing from the request or does not match the real session token, WebSEAL returns a "400 Bad Request" error page. If we are using secret token validation then WebSEAL includes the session token as the tagvalue_session_index attribute in the user credential. WebSEAL provides a CREDATTR macro that used to access a credential attribute and insert it into the following locations:

To reference the secret token, use the CREDATTR{tagvalue_session_index} macro. Secret token validation does not affect the CDSSO or eCSSO functionality in WebSEAL.

Parent topic: Prevention of Cross-site Request Forgery (CSRF) attacks