Oracle ATG Web Commerce includes a component /atg/dynamo/servlet/pipeline/RedirectURLValidator
, that will prevent URL redirection to hostnames other than the hostname used in the current HTTP request. You can configure a list of hostnames that are allowed by RedirectURLValidator
even if they do not match the hostname in the client’s original request.
The RedirectURLValidator
component includes the properties described in the following table.
Property | Description |
---|---|
| If this boolean property is set to true, Even when this property is set to |
| If this boolean property is set to true, |
|
|
|
|
| This property is set to |
If the RedirectURLValidator
component prevents an attempt to redirect a URL, it will generate a server log message similar to the following.
**** Warning Tue Sep 13 15:52:22 EDT 2011 1315943542589 /atg/dynamo/servlet/pipeline/RedirectURLValidator Not allowing redirect of the URL "http://bad.com:7103/somedir/somepage.jsp". Adjust settings of this component (such as the "allowedHostNames", "allowLocalHost", and "allowAllSiteURLs" properties) to allow. Will not warn again for URLs of host "bad.com" for 5 minutes.