RedirectURLValidator

Oracle ATG Web Commerce includes a component /atg/dynamo/servlet/pipeline/RedirectURLValidator, that will prevent URL redirection to hostnames other than the hostname used in the current HTTP request. You can configure a list of hostnames that are allowed by RedirectURLValidator even if they do not match the hostname in the client’s original request.

The RedirectURLValidator component includes the properties described in the following table.

Property

Description

allowLocalHost

If this boolean property is set to true, RedirectURLValidator will allow redirection to localhost and synonyms for it. Synonyms for localhost are defined by the /atg/dynamo/service/LocalHostConfiguration component.

Even when this property is set to true, the LocalHostConfiguration component may not successfully discover all aliases for the localhost. If this happens, add aliases for your localhost to the allowedHostNames property of the RedirectURLValidator component.

allowAllSiteURLs

If this boolean property is set to true, RedirectURLValidator will allow redirection to any hostname and port that match the URLs of your multisite Web sites.

allowedHostNames

RedirectURLValidator will allow redirection to any hostname that you include in this String array property.

allowedHostRegexes

RedirectURLValidator will allow redirection to any hostname that matches one of the regular expressions that you include in this String array property.

enabled

This property is set to true by default. To turn RedirectURLValidator off, set this property to false.

If the RedirectURLValidator component prevents an attempt to redirect a URL, it will generate a server log message similar to the following.

**** Warning    Tue Sep 13 15:52:22 EDT 2011    1315943542589   /atg/dynamo/servlet/pipeline/RedirectURLValidator
Not allowing redirect of the URL "http://bad.com:7103/somedir/somepage.jsp". Adjust settings of this component
(such as the "allowedHostNames", "allowLocalHost", and "allowAllSiteURLs" properties) to allow.
Will not warn again for URLs of host "bad.com" for 5 minutes.

Copyright © 1997, 2012 Oracle and/or its affiliates. All rights reserved.

Legal Notices