Class |
|
---|---|
Component |
|
The DAFDropletEventServlet
calls the setX/handleX methods of a bean when a form is submitted from a dynamic page or when serving a request from an anchor tag with bean
attributes. You can configure how this servlet handles errors encountered in processing a page. By default, errors are set as an element of the DropletExceptions
set in the request attribute DropletConstants.DROPLET_EXCEPTIONS_ATTRIBUTE
. Setting the following property returns errors to the requesting page:
reportDropletExceptions=true
Preventing Cross-Site Scripting Attacks
Cross-site scripting attacks take advantage of a vulnerability that makes it possible for a malicious site you access to use your browser to submit form requests to another site (such as an Oracle ATG Web Commerce-based site). To prevent processing of these requests, the Oracle ATG Web Commerce platform can use a request parameter _dynSessConf
, containing a session-confirmation number, to verify that a request is legitimate. This randomly generated long number is associated with the session of the submitted form. On submission of a form or activation of a property-setting dsp:a
tag, DAFDropletEventServlet
checks the value of _dynSessConf
against the current session’s confirmation number. If it detects a mismatch or missing number, it can block form processing and return an error.
You can configure this behavior through two properties in the component /atg/dynamo/Configuration
:
enforceSessionConfirmation
specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value istrue
.warnOnSessionConfirmationFailure
specifies whether to issue a warning on a confirmation number mismatch; the default value istrue
.
You can also control session confirmation for individual requests by setting the attribute requiresSessionConfirmation
to true
or false
on the applicable dsp:form
or dsp:a
tag. If this attribute is set to false
, the _dynSessConf
parameter is not included in the HTTP request, and the DAFDropletEventServlet
skips validation of this request’s session-confirmation number.