With custom applications, in order to navigate from the custom application to an Axeda® Connected Product Management Applications page, a JSessionID and a CSRF token need to be appended to the URL. This allows the request to succeed and keeps the user from being logged out. For this to work for custom applications, a set of pre-defined tokens are substituted at runtime by the Axeda Platform, and they are made available to the custom application in the HTML file that calls the custom application.
If you choose to enable a CSRF filter on the Axeda Platform, take the following points into consideration:
o Any request made to the Platform needs to include a valid CSRF token or the request fails with a security error.
o CSRF tokens are valid for 20 minutes, and a new token is generated with every request.
When you create your custom application, you can use CSRF token parameters when constructing URLs that provide access to a page of the Axeda Applications. For example:
http://<servername>:<port>/<baseurl>?sessionid=<sessionId>&acsrf_req_idt=<csrf token>&<other params>
You can use the following tokens:
Token |
Replacement |
%%SESSION_ID%% |
The ID of the current JSession which has been granted by the application server. |
%%CSRF_TOKEN%% |
A just-in-time, non-expiring CSRF token which can be used to directly access URL resources from the DRM webapp. |
%%USER_LOCALE_TOKEN%% |
The locale preference setting of the user. |
%%USER_EMAIL_TOKEN%% |
The user’s email. |
%%USER_USERNAME_TOKEN%% |
The user's username. |
%%USER_FULLNAME_TOKEN%% |
The user’s full name. |
In the case of an HTML application, the CSRF token parameters can be used as follows:
<html>
<head>
<title>Test App</title>
</head>
<body>
<h2>Here is the title</h2>
<table>
<tr><td>CSRF_TOKEN</td><td>%%CSRF_TOKEN%%</td></tr>
<tr><td>SESSIONID_TOKEN</td><td>%%SESSIONID_TOKEN%%</td></tr>
<tr><td>USER_LOCALE_TOKEN</td><td>%%USER_LOCALE_TOKEN%%</td></tr>
<tr><td>USER_USERNAME_TOKEN</td><td>%%USER_USERNAME_TOKEN%%</td></tr>
<tr><td>USER_FIRSTNAME_TOKEN</td><td>%%USER_FIRSTNAME_TOKEN%%</td></tr>
<tr><td>USER_FULLNAME_TOKEN</td><td>%%USER_FULLNAME_TOKEN%%</td></tr>
<tr><td>USER_EMAIL_TOKEN</td><td>%%USER_EMAIL_TOKEN%%</td></tr>
</table>
<br/>
<br/><br/>
</body>
</html>
When you upload a custom Flash application to the Axeda Platform, the application needs to be provided in a .zip file that contains all of the UI elements. This includes the wrapper HTML file that points to the actual .swf file. When you upload the .zip file containing your custom Flash application from the Axeda Applications View and Manage Custom Applications page, you must provide the "Default index file". The default index file should be the wrapper HTML that launches the custom application.
In the case of a flash application, the CSRF token parameters can be made available by passing them as flashVars in the standard Adobe HTML wrapper file as highlighted in this example:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- saved from url=(0014)about:internet -->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<!--
Smart developers always View Source.
This application was built using Adobe Flex, an open source framework
for building rich Internet applications that get delivered via the
Flash Player or to desktops via Adobe AIR.
Learn more about Flex at http://flex.org
// -->
<head>
<title>${title}</title>
<meta name="google" value="notranslate" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<!-- Include CSS to eliminate any default margins/padding and set the height of the html element and
the body element to 100%, because Firefox, or any Gecko based browser, interprets percentage as
the percentage of the height of its parent container, which has to be set explicitly. Fix for
Firefox 3.6 focus border issues. Initially, don't display flashContent div so it won't show
if JavaScript disabled.
-->
<style type="text/css" media="screen">
html, body { height:100%; }
body { margin:0; padding:0; overflow:auto; text-align:center;
background-color: ${bgcolor}; }
object:focus { outline:none; }
#flashContent { display:none; }
</style>
<!-- Enable Browser History by replacing useBrowserHistory tokens with two hyphens -->
<!-- BEGIN Browser History required section ${useBrowserHistory}>
<link rel="stylesheet" type="text/css" href="history/history.css" />
<script type="text/javascript" src="history/history.js"></script>
<!${useBrowserHistory} END Browser History required section -->
<script type="text/javascript" src="swfobject.js"></script>
<script type="text/javascript">
/* For version detection, set to min. required Flash Player version, or 0 (or 0.0.0), for no version detection.*/
var swfVersionStr = "${version_major}.${version_minor}.${version_revision}";
/* To use express install, set to playerProductInstall.swf, otherwise the empty string. */
var xiSwfUrlStr = "${expressInstallSwf}";
var flashvars = {};
flashvars.csrfToken = "%%CSRF_TOKEN%%";
flashvars.sessionId = "%%SESSIONID_TOKEN%%";
flashvars.userLocale = "%%USER_LOCALE_TOKEN%%";
flashvars.userEmail = "%%USER_EMAIL_TOKEN%%";
flashvars.userName = "%%USER_USERNAME_TOKEN%%";
flashvars.userFullName = "%%USER_FULLNAME_TOKEN%%";
var params = {};
params.quality = "high";
params.bgcolor = "${bgcolor}";
params.allowscriptaccess = "sameDomain";
params.allowfullscreen = "true";
var attributes = {};
attributes.id = "${application}";
attributes.name = "${application}";
attributes.align = "middle";
swfobject.embedSWF(
"${swf}.swf", "flashContent",
"${width}", "${height}",
swfVersionStr, xiSwfUrlStr,
flashvars, params, attributes);
/* JavaScript enabled so display the flashContent div in case it is not replaced with a swf object. */
swfobject.createCSS("#flashContent", "display:block;text-align:left;");
</script>
</head>
<body>
<!-- SWFObject's dynamic embed method replaces this alternative HTML content with Flash content when enough
JavaScript and Flash plug-in support is available. The div is initially hidden so that it doesn't show
when JavaScript is disabled.
-->
<div id="flashContent">
<p>
To view this page ensure that Adobe Flash Player version
${version_major}.${version_minor}.${version_revision} or greater is installed.
</p>
<script type="text/javascript">
var pageHost = ((document.location.protocol == "https:") ? "https://" : "http://");
document.write("<a href='http://www.adobe.com/go/getflashplayer'><img src='"
+ pageHost + "www.adobe.com/images/shared/download_buttons/get_flash_player.gif' alt='Get Adobe Flash player' /></a>" );
</script>
</div>
<noscript>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="${width}" height="${height}" id="${application}">
<param name='flashVars' value='csrfToken=%%CSRF_TOKEN%%&sessionId=%%SESSIONID_TOKEN%%&userLocale=%%USER_LOCALE_TOKEN%%&userEmail=%%USER_EMAIL_TOKEN%%&userName=%%USER_USERNAME_TOKEN%%&userFullName=%%USER_FULLNAME_TOKEN%%'/>
<param name="movie" value="${swf}.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="${bgcolor}" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="allowFullScreen" value="true" />
<!--[if !IE]>-->
<object type="application/x-shockwave-flash" data="${swf}.swf" width="${width}" height="${height}">
<param name='flashVars' value='csrfToken=%%CSRF_TOKEN%%&sessionId=%%SESSIONID_TOKEN%%&userLocale=%%USER_LOCALE_TOKEN%%&userEmail=%%USER_EMAIL_TOKEN%%&userName=%%USER_USERNAME_TOKEN%%&userFullName=%%USER_FULLNAME_TOKEN%%'/>
<param name="quality" value="high" />
<param name="bgcolor" value="${bgcolor}" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="allowFullScreen" value="true" />
<!--<![endif]-->
<!--[if gte IE 6]>-->
<p>
Either scripts and active content are not permitted to run or Adobe Flash Player version
${version_major}.${version_minor}.${version_revision} or greater is not installed.
</p>
<!--<![endif]-->
<a href="http://www.adobe.com/go/getflashplayer">
<img src="http://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash Player" />
</a>
<!--[if !IE]>-->
</object>
<!--<![endif]-->
</object>
</noscript>
</body>
</html>