Enabling WhiteList data validation

When enabled, WhiteList data validation ensures that when a URL command or view is run, the parameter values conform to a specified regular expression. For example, you can configure it so that the storeId must be an integer. When a WhiteList violation is detected, the request is changed to the ProhibCharEncodingErrorView view. WhiteList data validation is disabled by default.

Note:
  • To activate WhiteList data validation, it must be enabled globally and in individual web modules.
  • The regular expression syntax is based on the standard that is used by Java. For the regular expression syntax, see the Sun Class Pattern Java API documentation.
Attention: Use extreme caution when you configure this feature. WhiteList data validation is a restrictive feature in that it restricts the running of URL commands and views by its configuration. This feature does not perform extra validation to ensure that the regular expression specified is compatible with your site. For example, if you configure it so that the storeId must be an alphabetic character, your site likely breaks. That is, since by default, the storeId is expected to be an integer. Therefore, when you configure this feature, ensure that the regular expression allows your site to function correctly.

Procedure

  1. Open the WebSphere Commerce configuration file.
  2. Search for the following element outside of the <Module> element: 
    
<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
  3. Insert the following sample WhiteList configuration before the preceding element, and modify it to suit your business needs: 
    
<WhiteListProtection 
       enabled="true" 
       name="WhiteListProtection"
       display="false">
   <param name="storeId" regex="[-]?[0-9]*"/>
   <param name="langId" regex="[-]?[0-9]*"/>
   <param name="catalogId" regex="[-]?[0-9]*"/>
   <param name="categoryId" regex="[-]?[0-9]*"/>
   <param name="productId" regex="[-]?[0-9]*"/>
   <param name="parent_category_rn" regex="[-]?[0-9]*"/>
   <param name="physicalStoreId" regex="[-]?[0-9]*"/>
   <param name="geoNodeId" regex="[-]?[0-9]*"/>  
</WhiteListProtection>

<XSiteScriptingProtection display="false" enabled="true" name="Cross Site Scripting Protection">
    where:
    WhiteListProtection.enabled
    Global flag to enable or disable WhiteList data validation. Valid values are true or false.
    WhiteListProtection.param.name
    The name of the parameter to be validated.
    WhiteListProtection.param.regex
    The regular expression that defines the allowed values. The regular expression syntax is based on the standard that is used by Java.
    For the regular expression syntax, see the Sun Class Pattern Java API documentation.
    WhiteListProtection.param.maxLength
    The maximum number of characters allowed.
  4. In each web module that requires WhiteList data validation, search for the corresponding Module element.
    For example, the Stores web module element:
    
<Module contextPath="/webapp/wcs/stores"
   fileServletEnabled="false" name="Stores"
   urlMappingPath="/servlet" webAlias="/wcsstore">
   <InitParameters adapters="XML/HTTP, BrowserAdapter"
      contextSetName="Store" handleDoubleClick="true"/>
   <URLRedirectFilter enable="true"/>
</Module>
  5. Insert a WhiteListProtection element to enable this feature for that web module: 
    
<WhiteListProtection enable="true"/>

    For instance, to enable WhiteList data validation in the Stores web module, the WhiteListProtection element is added in the following snippet in bold:

    
<Module contextPath="/webapp/wcs/stores"
   fileServletEnabled="false" name="Stores"
   urlMappingPath="/servlet" webAlias="/wcsstore">
   <InitParameters adapters="XML/HTTP, BrowserAdapter"
      contextSetName="Store" handleDoubleClick="true"/>
   <URLRedirectFilter enable="true"/>
   <WhiteListProtection enable="true"/>
</Module>
    Note: If the WhiteListProtection element is not specified for a web module, the default WhiteListProtection value is false (WhiteList data validation disabled).
  6. Start your WebSphere Commerce instance if it is not already started.
  7. Run the following command if no WebSphere Application Server security is enabled:
    • LinuxAIXFor IBM i OS operating systemWC_installdir/bin/config_ant.sh -DinstanceName=instance_name UpdateEAR
    • WindowsWC_installdir/bin/config_ant.bat -DinstanceName=instance_name UpdateEAR
    Run the following command if WebSphere Application Server Admin and Application securities are enabled (for example, the WebSphere Application Server username/password is configadmin/configpassword):
    • LinuxAIXFor IBM i OS operating systemWC_installdir/bin/config_ant.sh -DinstanceName=instance_name -DWASAdminUser=configadmin -DWASAdminPassword=configpassword UpdateEAR
    • WindowsWC_installdir/bin/config_ant.bat -DinstanceName=instance_name -DWASAdminUser=configadmin -DWASAdminPassword=configpassword UpdateEAR
      Note: For -DWASAdminPassword=XXXXXX, the password must not be in encrypted format.
  8. Restart your WebSphere Commerce instance.