Validation of query parameters in URLs is initiated by the /atg/dynamo/servlet/dafpipeline/SecurityServlet
component in the request handling pipeline. This component of class atg.servlet.pipeline.SecurityServlet
examines the values of the request’s query parameters and stops processing the request if any parameter value appears suspicious.
SecurityServlet
invokes a component of class atg.servlet.security.param.OverridableParameterValidator
to perform the validation. This component is specified through the parameterValidator
property of the SecurityServlet
component. By default, this property is set to /atg/dynamo/servlet/security/ParameterValidator
.
The ParameterValidator
component can filter the values of query parameters using its own logic, or it can delegate the filtering to other components that implement different filtering logic. These other components can be specified with the ParameterValidator
component’s overridingValidators
property, which can hold a list of components of classes that implement the atg.servlet.security.param.RequestParameterValidator
interface. RequestParameterValidator
is a subinterface of the ParameterValidator
interface which adds a canValidateRequest()
method. This method is responsible for examining the request and determining whether it can perform the validation or if validation must be passed on to another component.
When the ParameterValidator
component validates query parameters, it checks the first component named in its overridingValidators
property, and calls this component’s canValidateRequest()
method. If the method returns true
, ParameterValidator
delegates responsibility for validating the query parameters to that component. If the method returns false
, the same check is performed on each subsequent component in the list until one returns
true, at which point ParameterValidator
stops checking the remaining components and invokes the one that returned true
. If none of the overriding validator components returns true
, ParameterValidator
validates the query parameters itself. This logic makes it possible to use different validator components in different contexts.
By default, the overridingValidators
property is set to the /atg/dynamo/servlet/security/XSSParameterValidator
component, of class atg.servlet.security.param.XSSParameterValidator
. If this component’s enabled
property is set to true
, its canValidateRequest()
method returns true
for every request. This means that unless you change the default configuration, this component always overrides ParameterValidator
. See Using the XSSParameterValidator Component for information about XSSParameterValidator
.