When you enable URL redirect filtering, WebSphere
Commerce rejects any requests that try to redirect to an unauthorized
site. This feature is used to prevent phishing attacks where a link
in a WebSphere Commerce site sends the shopper to another site.
Examples
of URL redirection include:
- URL parameter in a URL command
- reLogonURL in Logon URL command
- URLs defined as click actions in the Marketing Tool. For example,
select
* from collateral where URL like 'http%'
Procedure
- Open the WebSphere
Commerce configuration file.
- Locate the web module where you want to enable this feature.
For example, if you want to enable this feature for the Stores
web module, modify the following section:
<Module contextPath="/webapp/wcs/stores"
fileServletEnabled="false" name="Stores"
urlMappingPath="/servlet" webAlias="/wcsstore">
<InitParameters adapters="XML/HTTP, BrowserAdapter"
contextSetName="Store" handleDoubleClick="true"/>
</Module>
Note: If you want to enable this feature
for store preview, you must modify the module context path as followed: Module
contextPath="/webapp/wcs/preview"
.
- Add a
URLRedirectFilter
element in the
Module element as shown in the following example:<Module contextPath="/webapp/wcs/stores"
fileServletEnabled="false" name="Stores"
urlMappingPath="/servlet" webAlias="/wcsstore">
<InitParameters adapters="XML/HTTP, BrowserAdapter"
contextSetName="Store" handleDoubleClick="true"/>
<URLRedirectFilter enable="true">
<AllowedHost name="www.mycompany1.com"/>
<AllowedHost name="www.mycompany2.com"/>
<AllowedDomain name="mycompany3.com"/>
</URLRedirectFilter>
</Module>
The usage of these elements is described in the following
list:
- URLRedirectFilter enable="true"
- Specifies whether cross-site scripting protection is enabled.
Possible values are true or false.
- AllowedHost hostname="www.mycompany1.com"
- Specifies a hostname that WebSphere Commerce allows redirection
to. By default, if this feature is enabled, the Web server hostname
that is configured for the WebSphere Commerce instance is added to
the allowed host list.
- AllowedDomain name="mycompany3.com"
- Specifies an entire domain that WebSphere Commerce allows redirection
to. Use this element if you want to allow redirection to all hosts
in a domain.
- Propagate the changes to the
WebSphere Commerce configuration file.
Example
In the preceding example URL redirection from the Stores
web module is enabled. WebSphere Commerce allows redirection from
the Stores web module to any of the following hosts:
- www.mycompany1.com
- www.mycompany2.com
- www.mycompany3.com
- myhost.mycompany3.com
- myhost2.mycompany3.com
The following hosts would be blocked by WebSphere Commerce:
- www.mycompany4.com
- myhost.mycompany1.com