When enabled, WhiteList data validation ensures
that when a URL command or view is run, the parameter values conform
to a specified regular expression. For example, you can configure
it so that the storeId must be an integer. When a WhiteList violation
is detected, the request is changed to the ProhibCharEncodingErrorView
view. WhiteList data validation is disabled by default.
Note:
- To activate WhiteList data validation, it must be enabled globally
and in individual web modules.
- The regular expression syntax is based on the standard that is
used by Java. For the regular expression syntax, see the Sun Class Pattern Java API documentation.
Attention: Use extreme caution when you configure
this feature. WhiteList data validation is a restrictive feature in
that it restricts the running of URL commands and views by its configuration.
This feature does not perform extra validation to ensure that the
regular expression specified is compatible with your site. For example,
if you configure it so that the storeId must be an alphabetic character,
your site likely breaks. That is, since by default, the storeId is
expected to be an integer. Therefore, when you configure this feature,
ensure that the regular expression allows your site to function correctly.
Procedure
- Open the WebSphere
Commerce configuration file.
-
Search for the following element outside of the
<Module>
element:
<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
- Insert the following sample WhiteList configuration before
the preceding element, and modify it to suit your business needs:
<WhiteListProtection
enabled="true"
name="WhiteListProtection"
display="false">
<param name="storeId" regex="[-]?[0-9]*"/>
<param name="langId" regex="[-]?[0-9]*"/>
<param name="catalogId" regex="[-]?[0-9]*"/>
<param name="categoryId" regex="[-]?[0-9]*"/>
<param name="productId" regex="[-]?[0-9]*"/>
<param name="parent_category_rn" regex="[-]?[0-9]*"/>
<param name="physicalStoreId" regex="[-]?[0-9]*"/>
<param name="geoNodeId" regex="[-]?[0-9]*"/>
</WhiteListProtection>
<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
Where:
- WhiteListProtection.enabled
- Global flag to enable or disable WhiteList data validation. Valid
values are
true
or false
.
- WhiteListProtection.param.name
- The name of the parameter to be validated.
- WhiteListProtection.param.regex
- The regular expression that defines the allowed values. The regular
expression syntax is based on the standard that is used by Java.
- For the regular expression syntax, see the Sun Class Pattern Java API documentation.
- WhiteListProtection.param.maxLength
- The maximum number of characters allowed.
- In each web module that requires WhiteList data validation,
search for the corresponding
Module
element.
For example, the Stores
web module element:
<Module contextPath="/webapp/wcs/stores"
fileServletEnabled="false" name="Stores"
urlMappingPath="/servlet" webAlias="/wcsstore">
<InitParameters adapters="XML/HTTP, BrowserAdapter"
contextSetName="Store" handleDoubleClick="true"/>
<URLRedirectFilter enable="true"/>
</Module>
- Insert a
WhiteListProtection
element to
enable this feature for that web module:
<WhiteListProtection enable="true"/>
For instance, to enable WhiteList data validation in
the Stores
web module, the WhiteListProtection
element
is added in the following snippet in bold:
<Module contextPath="/webapp/wcs/stores"
fileServletEnabled="false" name="Stores"
urlMappingPath="/servlet" webAlias="/wcsstore">
<InitParameters adapters="XML/HTTP, BrowserAdapter"
contextSetName="Store" handleDoubleClick="true"/>
<URLRedirectFilter enable="true"/>
<WhiteListProtection enable="true"/>
</Module>
Note: If the WhiteListProtection
element
is not specified for a web module, the default WhiteListProtection
value
is false (WhiteList data validation disabled).
- Start your WebSphere Commerce
instance if it is not already started.
- Run the following command if no WebSphere Application Server
security is enabled:
- WC_installdir/bin/config_ant.sh
-DinstanceName=instance_name UpdateEAR
- WC_installdir/bin/config_ant.bat
-DinstanceName=instance_name UpdateEAR
Run the following command if WebSphere Application
Server Admin and Application securities are enabled (for example,
the WebSphere Application Server username/password is configadmin/configpassword):
- Restart your WebSphere Commerce
instance.