Contents
Filters configured in a policy before the Validate Message Attributes
filter can generate message attributes and store them in the message. The Validate
Message Attributes filter can use regular expressions to check the values of
these message attributes. This enables you to make decisions on what to do with the message
(for example, if the attribute value is X, route to service X)
You can configure the following sections on the Validate Message Attributes screen:
-
Enter Regular Expression:
You can configure a list of message attributes so that each is checked against a regular expression from the global White list library or against a manually configured expression. This check ensures that the value of the message attribute is acceptable. For example, if you know that a message attribute must have a value of
ABCD, a regular expression of^ABCD$is an exact match test. -
Enter Threatening Content Regular Expression:
You can select threatening content regular expressions from the global Black list to run against each message attribute. These regular expressions identify common attack signatures (for example, SQL injection attacks, ASCII control characters, XML entity expansion attacks, and so on).
You can configure the global White list and Black list libraries of regular expressions under the Libraries node in the Policy Studio tree.
The Enter Regular Expression table displays the list of configured message attribute names together with the White list of regular expressions that restrict their values. For this filter to run successfully, all configured attribute checks must have values matching the configured regular expressions.
The Name column shows the name of the attribute. The Regular Expression column shows the name of the regular expression that the API Gateway uses to restrict the value of the named attribute. A number of common regular expressions are available from the global White list library.
Configuring a Regular Expression
You can configure regular expressions by selecting the Add, Edit, and Delete buttons. The Configure Regular Expression dialog enables you to add or edit regular expressions to restrict the values of message attributes. To configure a regular expression, perform the following steps:
-
Enter the name of the message attribute in the Name field.
-
Select whether this attribute is Optional or Required using the appropriate radio button. If it is Required, the attribute must be present in the request. If the attribute is not present, the filter fails. If it is Optional, the attribute does not need to be present for the filter to pass.
-
You can enter the regular expression to restrict the value of the attribute manually or select it from the global White list library of regular expressions in the Expression Name drop-down list. A number of common regular expressions are provided (for example, alphanumeric values, dates, and email addresses).
You can use a selector representing the value of a message attribute to compare the value of a message attribute with another attribute. Enter the
$character in the Regular Expression field to view a list of available attributes. At runtime, the selector is replaced by the corresponding attribute value and compared to the message attribute value that you want to check. For more details on selectors, see Selecting Configuration Values at Runtime. -
You can add a regular expression to the library by selecting the Add/Edit button. Enter a Name for the expression followed by the Regular Expression.
Advanced Settings
The Advanced section enables you to extract a portion of the attribute value which is run against the regular expression. The extracted substring can also be Base64 decoded if necessary.
The regular expressions entered in this section guard against the possibility of a message attribute containing malicious content. The Enter Threatening Content Regular Expression table lists the Black list of regular expressions that are run against all message attributes.
For example, to guard against a SQL DELETE attack, you can
write a regular expression to identify SQL syntax and add to this list.
The Threatening Content Regular Expressions are listed
in a table. All of these expressions are run against
all message attributes configured in the Regular
Expression table above. If the expression matches any
attribute values, the filter fails.
![[Important]](../common_oracle/images/admon/important.png) |
Important |
|---|---|
|
If any regular expressions are configured in the Message Attribute Regular Expressions section, these expressions are run before the Threatening Content Regular Expressions (TCRE) are run. For example, if you have already configured a regular expression to extract the Base64-decoded attribute value, the TCRE is run against this value instead of the attribute value stored in the message. |
You can add threatening content regular expressions using the Add button. You can edit or remove existing expressions by selecting them in the drop-down list, and clicking the Edit or Delete button.
You can enter the regular expressions manually or select them from the global
Black list library of threatening content regular expressions.
This library is pre-populated with regular expressions that scan for common attack
signatures. These include expressions to guard against common SQL injection-style
attacks (for example, SQL INSERT, SQL DELETE, and so on),
buffer overflow attacks (content longer than 1024 characters), and the presence of
control characters in attribute values (ASCII control characters).
Enter or select an appropriate regular expression to scan all message attributes for threatening content. You can add a regular expression to the library by selecting the Add/Edit button. Enter a Name for the expression followed by the Regular Expression.
