Client settings
- Enable HTTP compression (Web-only)
- Select this box to use HTTP compression to reduce the number
of bytes being transferred between the ZIETrans runtime, which is
running on the WebSphere® Application
Server, and the user's browser. This reduces the transfer time between
the ZIETrans runtime and the browser (which improves response time)
and reduces the number of bytes flowing in the network (which improves
network utilization).
Note:
- To determine if compression is working properly and
to see before and after page sizes in bytes, you can enable tracing
by updating the trace.UTIL line in the runtime.properties file (or
runtime-debug.properties file if running in debug mode in the ZIETrans Toolkit).
For example:
trace.UTIL=7
. For more information, see Runtime properties files. In the trace file, search for the runtime.filters.CompressionFilter trace entries. For example:+--------------------------------------+ Text UTIL runtime.filters.CompressionFilter.doFilter() 17.50.10.140 11/27/06 Servlet.Engine.Transports : 1 enable compression: true 0000CBAx-81SRWWVmQfQ8-_47oK:-1 +--------------------------------------+ Text UTIL runtime.filters.CompressionFilter.doFilter() 17.50.10.140 11/27/06 Servlet.Engine.Transports : 1 size before: 25315 0000CBAx-81SRWWVmQfQ8-_47oK:-1 +--------------------------------------+ Text UTIL runtime.filters.CompressionFilter.doFilter() 17.50.10.140 11/27/06 Servlet.Engine.Transports : 1 size after: 4264 0000CBAx-81SRWWVmQfQ8-_47oK:-1
- This feature is not applicable when running the ZIETrans application on WebSphere® Portal Server.
- ZIETrans ensures the "Accept-Encoding" HTTP header contains "gzip" before compressing a page.
- You must restart the application server if you want changes made to compression-related settings picked up while the application is running on the server.
- JavaScript™ (.js) and cascading stylesheet (.css) files are not compressed by this new function. You must configure HTTP compression within your HTTP server to provide compression for these types of files. See the documentation of your HTTP server for more information.
- This setting can only be specified at the project level. It cannot be specified for individual transformation JSPs
- To determine if compression is working properly and
to see before and after page sizes in bytes, you can enable tracing
by updating the trace.UTIL line in the runtime.properties file (or
runtime-debug.properties file if running in debug mode in the ZIETrans Toolkit).
For example:
- Enable Minify JavaScript Feature (Web-only)
- Select the check box to enable the minify JavaScript file feature
on the ZIETrans project. The minify JavaScript feature will remove
the unnecessary code contents like code comments and extra space (formatting),
convert variables into shorter variables and so on, without affecting
the processing of the resources by the browser in ZIETrans.
Note:
- If ‘Compress default javascript’ option
is selected, then it will compress the ZIETrans default JavaScript
file, which is under the below ZIETrans project folder :
\Web Content\common \Web Content\common\scripts \Web Content\ZIETransadmin\scripts
- If ‘Compress all javascript’ option
is selected, then it will compress all the ‘ZIETrans JavaScript
files which are located at the below ‘ZIETrans project’ folder:
\Web Content\
- Users who do not want to get compressed javascript file, can set
the property, ‘avoidCompressJS’,
in the Source tab of Project, to manually mention the names of the
JavaScript files with relative path in value (separated by comma (,)).
(Already compressed or minified JS file
names (abc.min.js) must be given in values to avoid being compressed
again, as they are already compressed). For example:
After selecting these features, while doing an ‘Export project’, a dialog box showing the ‘Compress JavaScript progress bar’ will be displayed and the process of compression for the javascript file will begin as per the given options.<setting name="avoidCompressJS" value="\bootstrap.min.js,\common\bidishape.js"/>
- In a workspace, if a system crash, IDE crash or an abnormal condition occurs during a JavaScript compress process, the javascript files which already got compressed are reverted back to their original stage in the same project with the same workspace by default, when the IDE is restarted. system will take care to revert back original file in same project. (The crash recovery of the project to the original stage will occur only if at least one file related to that project is open at the time of system crash, for which, an ‘export project’ operation is being carried out by enabling the compress JavaScript option).
- If an error is displayed on the console for a javascript definition
or declaration during the Compress operation, then all the errors
should be fixed for the file before re-running the export project
operation. An Example of Error during Compress operation is shown
below:
The Compress operation of the javascript file has failed due to an error in one of the javascript files. Correct those JS and re-run the export project.INVALID_OCTAL_LITERAL. This style of octal literal is not supported in strict mode. at lxgwfunctions.js line 53 : 15
- This feature is applicable when running the ZIETrans application on a WebSphere Portal Server.
- If ‘Compress default javascript’ option
is selected, then it will compress the ZIETrans default JavaScript
file, which is under the below ZIETrans project folder :
- Enable same origin policy protection (Web-only)
- Select this box to prevent CSRF attack on the ZIETrans, which
is running on a ZIETrans supported application Server, and the user's
browser. This will discard the request that is originated from a URL
that has no protocol, or request originated from an unauthorized
origin/website.
Note:
- To protect against CSRF attack, declare the ZIETrans running URL
as the ‘param-value’, in web.xml under the ‘HatsCSRFValidationFilter’
section, for param-name= target.origin. For example:
<param-value>http://localhost:9080/Test/entry</param-value>
- To determine if the CSRF validation is working properly, uncheck the box in client setting and attempt a CSRF attack. This will now allow the modification of ZIETrans data by a different source. The same operation will not be allowed from a different origin, if the client setting check-box is selected.
- This feature is not applicable when running the ZIETrans application on a WebSphere Portal Server.
- The application server must be restarted for the changes made to origin policy-related settings to be picked up while the application is running on the server.
- After enabling origin policy, the default URL, /entry, /ZIETransadmin/admin , /index.jsp and the default project context path ( http://localhost:9080/Test/ ) will be secure from CSRF attack if the origin policy is enabled.
- Users can customize to secure more custom URLs. If a user has
added a new servlet, then it has to be configured in web.xml file,
as shown below to secure it from a CSRF attack.For example:
http://localhost:9080/Test/transfer <filter-mapping> <filter-name>HatsCSRFValidationFilter</filter-name> <url-pattern>/transfer</url-pattern> <filter-mapping>
- Users can enable multiple origin sources by adding the source
list as the ‘param-value’ while configuring, under the filter ‘HatsCSRFValidationFilter’
section, against param-name = source.origin. For example:
<param-value>http://ZIETrans:9081/index, http://ZIETransapp.com/, http://citi.com</param-value>
- To protect against CSRF attack, declare the ZIETrans running URL
as the ‘param-value’, in web.xml under the ‘HatsCSRFValidationFilter’
section, for param-name= target.origin. For example:
- Enable token based protection (Web-only)
- Select this box to prevent CSRF attack on the ZIETrans, which
is running on a ZIETrans supported application Server, and the user's
browser. This will discard the request even if the attacker is able
to bypass the same origin policy.
Note:
- To determine if the CSRF validation is working properly, uncheck the box in client setting and try a CSRF attack. This will permit the modification of ZIETrans data by a different source, if the ‘Enable same origin policy’ option is unchecked. The same operation will not be allowed from a different origin, if this check-box is selected, and if an attacker is able to bypass the origin policy, then a token based protection will not allow to modify ZIETrans data by CSRF attack.
- This feature is not applicable when running the ZIETrans application on a WebSphere Portal Server.
- The application server must be restarted for the changes made to token based settings to be picked up while the application is running on the server.
- Token based check, when enabled, will secure the default URL /entry, /index.jsp and the default project context path from CSRF attack, and if the origin policy is enabled then /entry, /ZIETransadmin/admin , /index.jsp and the default project context path ( http://localhost:9080/Test/ ) will be secured from CSRF attack.
- Users can customize to secure more custom URLs. If a user has
added a new servlet, then it has to be configured in web.xml file,
as shown below to secure it from a CSRF attack, and has to add the
INPUT HIDDEN FORM field name HatsCSRF in the
respective jsppage and the value can
be appended by the HatsCSRFValidationFilter token..For
example:
http://localhost:9080/Test/transfer <filter-mapping> <filter-name>HatsCSRFValidationFilter</filter-name> <url-pattern>/transfer</url-pattern> <filter-mapping> <INPUT TYPE="HIDDEN" NAME="HatsCSRF" VALUE="">
- If both of the protection features have been enabled, then unknown sources cannot modify ZIETrans data, and if an attacker is able to bypass the same origin policy, then the token based protection will restrict the modification of ZIETrans user data.
- Suppress sending unmodified fields (Web-only)
- Select this box to specify that ZIETrans should not send modified
input field data to the host when the contents of the field are identical
to the data supplied by the host.
Clear this box to specify that ZIETrans should send modified input field data even when the contents of the field are identical to the data supplied by the host. For example, if the host filled a field with
ABC
and the user typedABC
into the field, the typed data will be returned to the host.Note: This setting can only be specified at the project level. It cannot be specified for a single transformation JSP.
- Enable XSS Policy protection (Web-only)
- In the web.xml file, provide the below
instructed value to protect against XSS attack on the ZIETrans, which
is running on a ZIETrans supported application Server, and the user's
browser. This will discard XSS attack.
Note:
- To protect against XSS attack, in the web.xml file, under the
filter ‘HatsHeaderSecurityFilter’ section, update the ‘param-value’
from “NO” to “YES”. Listed three policies can
be enabled and disabled independently by giving respective value “YES”
or “NO”.
- "Content-Security-Policy"
- "X-Content-Type-Options"
- "X-XSS-Protection"
<param-value>YES</param-value>
- To determine if the XSS validation is working properly, set the ‘param-value’ to “NO” in web.xml ‘HatsHeaderSecurityFilter’ section
- This feature is not applicable when running the ZIETrans application on a WebSphere Portal Server.
- The application server must be restarted for the changes made to XSS policy protection-related settings to be picked up while the application is running on the server.
- Users can customize to secure more custom URLs. If a user has
added a new servlet, then it has to be configured in web.xml file,
as shown below to secure it from an XSS attack.For example:
http://localhost:9080/Test/transfer <filter-mapping> <filter-name>HatsHeaderSecurityFilter</filter-name> <url-pattern>/transfer</url-pattern> <filter-mapping>
- To protect against XSS attack, in the web.xml file, under the
filter ‘HatsHeaderSecurityFilter’ section, update the ‘param-value’
from “NO” to “YES”. Listed three policies can
be enabled and disabled independently by giving respective value “YES”
or “NO”.
- Enable automatic field advance
- Select
this box to specify that when a user completely fills an input field
with data, focus automatically advances to the next input field.
For Web applications, you can selectively disable this function for an individual transformation by adding the following lines just after the
</ZIETrans:Form>
tag in the transformation file. To selectively enable the function specifytrue
instead offalse
.<script> autoAdvance = false; </script>
Note:For DBCS considerations when using this setting see Enable automatic field advance.
- Include host and non-host input fields
- Select this box to specify that when auto advance is enabled,
focus automatically advances to the next input field in the order
of the input fields on the transformed screen without regard to the
order of the input fields on the host screen.
Clear this box to specify that when auto advance is enabled, focus automatically advances to the next input field in the order of the input fields on the host screen.
- Initial cursor position
- The position of the host application's cursor normally controls
the initial input focus location for your screen transformation. In
some limited cases, it might be desirable to have the host application's
cursor location ignored, and instead give the initial focus to the
first item on the transformation. This is intended for highly-customized
transformations where the order of host input fields has been changed.
With this feature enabled, the initial focus placement will be the
first item on the screen transformation rather than the input field
containing the host cursor.
Note:
- The Initial cursor position setting
does not appear in the GUI as a configurable setting. It must be set
in the source of the transformation file.
For Web applications, you can enable this feature for a transformation by adding the following lines just after the
</ZIETrans:Form>
tag in your transformation:<script> initialInputFocusFromCursor = false; </script>
- Be certain to test your transformation carefully. Many host applications rely on the cursor position for proper behavior. For example, a macro button placed on a transformation may cause the invoked macro to begin entering data in the wrong location on the host application, since the cursor may be in a different location than expected.
- The Initial cursor position setting
does not appear in the GUI as a configurable setting. It must be set
in the source of the transformation file.
- nextFieldForDropDown (Web-only)
- Use this setting to specify that the cursor position be moved
to the next input field when a selection is made from a drop-down
list. The default for new projects created in ZIETrans V7.5.0.2, or
later, is true. The default for projects
created before ZIETrans V7.5.0.2 is false.
Note:
- This setting does not appear in the GUI as a configurable setting.
It must be set in the source of the application.hap file as shown
below.
<class name="com.ibm.hats.common.RuntimeSettings"> <setting name="nextFieldForDropDown" value="true"/> </class>
- This setting is effective only when Enable automatic field advance is selected.
- This setting does not appear in the GUI as a configurable setting.
It must be set in the source of the application.hap file as shown
below.
- Overwrite mode (initial)
- Select this box to initially enable overwrite
mode (if it is supported by the browser). If enabled, text entered
into an input field overwrites text at the cursor position one character at a time. If not enabled, text entered
into an input field is inserted at the cursor position pushing existing
text ahead. The user can toggle from this initial
setting using the Insert key.
Note:
For DBCS considerations when using this setting see Overwrite mode (initial).
- Select all text on focus
- Select this box if you want all text in a field to be selected
when the field receives focus, which is typical behavior for a Web
application. Clear this box if you want no text selected when the
field receives focus which is typical behavior for a terminal emulator.
Note:
- For Web applications:
- The default is selected.
- This setting does not affect the Overwrite mode (initial) setting behavior.
- This setting is only valid when Internet Explorer is used as the browser for the application.
-
For DBCS considerations when using this setting, see Select all text on focus.
- For Web applications:
- Enable busy page (Web-only)
- Select this box to display a busy-page message when multiple requests are submitted by the user before processing has completed on the initial request. Clear this box if you do not want a busy-page message displayed. If cleared, you cannot submit any more requests until the server returns a response.
- Enable transformation refresh(Web-only)
- Select this box to refresh only the transformation area, if not enabled it refreshes the entire page.