Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
titlefrevvo-config.properties
# SMTP Settings
frevvo.mail.from.email= .
frevvo.mail.bounce.email={email address for bounced emails}
frevvo.mail.debug=false
frevvo.actions.debug=true
frevvo.rule.debug=true 

Email log entries

If you are using tomcat, emails sent are tracked in the <frevvo-home>\tomcat\logs\frevvo.log file when the INFO log level is enabled. Look for an entry like "Sending email to <email address> with subject <the subject of your email>. If an error occurs when sending, the message "Could not send email to <email address> with subject <the subject of your email> including the actual exception that caused the problem will be logged.

...

Frevvoproduct
 is a multi-tenant application. See the administration section on Manage Tenants. However, it is possible that all you need is a single tenant. If this is your case, it simplifies the 
Frevvoproduct
 server login if you default the @<tenantname> so the user only needs to enter their username to login. Customers who default the tenant login normally would also customize the placeholder on the login screen. Please read that topic for details.

...

You may want to customize the user@tenant placeholder on the login screen to reflect the name of your

Frevvoproduct
tenant to minimize confusion for your users or to remove the @tenant from the placeholder if you have defaulted the tenant login. 


In-house customers can change the default placeholder on the login screen by modifying the values for the frevvo.login.username.placeholder property.

...

  1. If the target tenant does not exist, create it by following these steps. For the sake of this document, the target tenant id is mytenant
  2. Login to the target tenant as an admin and create a user with the same id as the user in the original tenant. In this example, the user id is john in the tenant mytenant.
  3. Transfer the applications to the new user account in the target tenant
    1. Login to the source tenant as a tenant admin, for instance admin@d
    2. Navigate to Manage > Manage Users.
    3. Login as the user you want to move. 
    4. Navigate to the user's applications page. 
    5. Download each application for that user and save to a folder in your file system. 
    6. Logout
    7. Login as the user in the new tenant: john@mytenannt.
    8. Upload the applications you've downloaded in the previous steps. 
  4. Move the submissions in the submissions repository. You need to run these steps in the database where you persist the
    Frevvoproduct
     submissions. Please back up your database before moving forward
    1. Login to your database.
    2. Edit the script shown below to:
      1. Replace the word john with the id of the user you are migrating.
      2. Replace the tenant id d with the id of the source tenant. The default tenant in
        Frevvoproduct
         is called d.
      3. Replace the word mytenant with the name of your target tenant 
      1. Login to your database.
      2. Edit the script shown below to:
      3. Run the script shown below in your
        Frevvoproduct
         submissions database.

    ...

    • Information Disclosure - resolved with the tomcat upgrade to version 8.5.16
    • Man in the middle - This has to do with executing the CGI Servlet. This servlet is disabled in the frevvo Apache tomcat distribution. Customers who choose to enable the servlet are responsible for ensuring security viz. adding filter etc.
    • Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:
    Code Block
    <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
    • X-Frame-Options

    • Header

    • Not

    • Set

    • -

    • Resolved

    • by

    • modification

    • at

    • the

    • tomcat

    • level.

    • In-house

    • customers

    • can

    • uncomment
    • uncomment the

    • HttpHeaderSecurityFilter

    • provided

    • in

    • the

    • tomcat

    • web.xml.

    • The

    • filter

    • is

    • documented Apache tomcat website. Specify the appropriate
    • documented here. Specify the appropriate X-Frame-Options

    • value

    • in

    • the

    • antiClickJackingOption

    • parameter

    • -

    • (SAMEORIGIN

    • or

    • ALLOW-FROM).

    • Warning

      Setting

    • this

    • parameter

    • to

    • SAMEORIGIN

    • may

    • interfere

    • when

    • embedding

    • frevvo

    • forms/flows

    • in

    • your

    • website.

    • Use 
    • Use ALLOW-FROM

    • instead.

      Click the appropriate link below for filter examples.

      Code Block
      titleExample of filter with SAMEORIGIN
      collapsetrue
      <filter>
              <filter-name>httpHeaderSecurity</filter-name>
              <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
      		<init-param>
      			<param-name>antiClickJackingOption</param-name>
      			<param-value>SAMEORIGIN</param-value>
      		</init-param>
              <async-supported>true</async-supported>
      </filter>
      
      <filter-mapping>
              <filter-name>httpHeaderSecurity</filter-name>
              <url-pattern>/*</url-pattern>
              <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      


      Code Block
      themeConfluence
      titleExample of filter with ALLOW-FROM for embedded forms
      collapsetrue
      <filter>
              <filter-name>httpHeaderSecurity</filter-name>
              <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
      		<init-param>
      			<param-name>antiClickJackingOption</param-name>
      			<param-value>ALLOW-FROM</param-value>
      		</init-param>
      		<init-param> 
                  <param-name>antiClickJackingUri</param-name> 
                  <param-value> http://example.com:80/*</param-value> 
              </init-param>
              <async-supported>true</async-supported>
      </filter>
      
      <filter-mapping>
              <filter-name>httpHeaderSecurity</filter-name>
              <url-pattern>/*</url-pattern>
              <dispatcher>REQUEST</dispatcher>
      </filter-mapping> 


    • Admin user name exposure in URLs - Resolved by the
      Frevvoproduct
      feature to not expose the user id in URLs
      .
    • Tomcat 'Ghostcat' bug (affects
      Frevvoproduct
      through v9.0.10.) The frevvo Apache Tomcat will be upgraded in a future release. To address this vulnerability in the versions listed, please use the solution listed in this article.

    ...