Cognos Application Firewall - (CAF)


Cognos Application Firewall (CAF)


CAF does not validate a request only once. Once a request has passed through parameter validation (both http and xml) the request has an internal header value written into the SOAP header with a signed GUID that travels with the request. When a dispatcher receives a request it will hand the request off to the CAF. The CAF will check the SecureState GUID. If the check passes, then CAF will not re-validate the request. SecureState allows CAF to work simply without modification with
multiple dispatcher configurations. SecureState also ensures that the performance impact of validating input is kept at a minimum. SecureState GUIDS are signed with the CAMpassport to ensure that they can not be replayed by another user. CAF rejects any http request with a SecureState flag set. SecureState can only be set for SOAP XML passed from one dispatcher to another.

SecureError is a CAF feature that strips the verboseness of the error message before it reaches the browser.

An error occurred while calling the content store for the model: '/<model Name>[permission('read')] information.

DPR-ERR-2082 An error has occurred. Please contact your administrator. The complete error has been logged by CAF with SecureErrorID:2010-09-19-10:30:52.123-#521

Search the cogserver.log file for the SecureErrorID (2010-09-19-10:30:52.123-#521) and this will locate the actual error thrown which typically may contain things like datasource names, etc.

CAF does this by intercepting the SOAP fault at the dispatcher before it is sent to XTS to be built into html and sent to the browser. CAF allows the first line of the message and the title, but replaces the rest of the error message with a GUID timestamp. You can then use the GUID to grep/find in the resulting cogserver.log for the actual message.

SecureError is available as a Capability that Cognos Administrators can assign to certain users, groups or roles they wish to allow to see the full error messages displayed if a CAF error is thrown vs the shortened CAF error.