Class |
|
|---|---|
Component |
|
DynamoHandler is always the first servlet in a pipeline. This pipeline servlet takes in an HttpServletRequest/Response pair and passes on a DynamoHttpServletRequest/Response pair. Putting this servlet at the head of the pipeline ensures that all subsequent pipeline servlets are passed all the functionality of DynamoHttpServletRequest and DynamoHttpServletResponse.
RequestLocale Object
The DynamoHandler servlet also creates a RequestLocale object in the request. This servlet identifies the locale of the request and sets the locale property of the request’s RequestLocale accordingly. This enables you to deliver different content based on the visitor’s locale. You can disable the creation of RequestLocale objects by setting the DynamoHandler's generateRequestLocales property to false.
See the Internationalizing an Oracle Commerce Platform Web Site chapter of this guide for more information.
Preventing User Interface Redress Attacks (Clickjacking)
User interface redress attack (often referred to as clickjacking) is a hacking technique in which a user is tricked into executing malicious code by clicking an apparently innocuous link or button on a web site. For example, a button might have a hidden script that executes when the button is clicked and transmits personal information about the user.
To protect against clickjacking, most browsers support fields in HTTP response headers that prevent site pages from being rendered in frames or iframes, thus ensuring that these pages are not embedded in the pages of another site. The DynamoHandler servlet has three properties that you can use to insert these fields in response headers:
XFrameOptionsHeader– inserts anX-Frame-OptionsfieldcontentSecurityPolicyHeader– inserts aContent-Security-PolicyfieldcontentSecurityPolicyReportOnlyHeader– inserts aContent-Security-Policy-Report-Onlyfield
The value you specify for one of these properties is used as the value for the corresponding header field. For example, you could set the contentSecurityPolicyHeader property like this:
contentSecurityPolicyHeader=frame-options 'deny'
This results in the following field being inserted in response headers:
Content-Security-Policy: frame-options 'deny'
Note that some browsers may not support all three of these fields, or may ignore certain fields if others are present. You should check which fields and values are supported by commonly used browsers before setting these properties.
