Enable URL redirect filtering

When you enable URL redirect filtering, WebSphere Commerce will reject any request that tries to redirect to an unauthorized site. This feature is used to prevent phishing attacks where a link to WebSphere Commerce site will actually bring the shopper to another site.

To enable URL redirect filtering:

1. Open the WebSphere Commerce configuration file.

2. Locate the web module where you want to enable this feature. For example, if you want to enable this feature for the Stores web module, this is the section you want to modify

              <Module contextPath="/webapp/wcs/stores"
                 fileServletEnabled="false" name="Stores"
                 urlMappingPath="/servlet" webAlias="/wcsstore">
                  <InitParameters adapters="XML/HTTP, BrowserAdapter" 
                 contextSetName="Store" handleDoubleClick="true"/>
              </Module>
   
   
   

3. Add a URLRedirectFilter element in the Module element as shown in the following example

              <Module contextPath="/webapp/wcs/stores" 
                 fileServletEnabled="false" name="Stores"
                 urlMappingPath="/servlet" webAlias="/wcsstore">
                  <InitParameters adapters="XML/HTTP, BrowserAdapter" 
                 contextSetName="Store" handleDoubleClick="true"/>
                   <URLRedirectFilter enable="true">
                       <AllowedHost name="www.mycompany1.com"/>
                       <AllowedHost name="www.mycompany2.com"/>
                       <AllowedDomain name="mycompany3.com"/>
                    </URLRedirectFilter>
              </Module>
   
   
   

   The usage of these elements is described in the following list:

   URLRedirectFilter enable="true"

   Specifies whether cross-site scripting protection is enabled. Possible values are true or false.

   AllowedHost hostname="www.mycompany1.com"

   Specifies a hostname that WebSphere Commerce will allow redirection to. By default, if this feature is enabled, the Web server hostname that is configured for the WebSphere Commerce instance will be added to the allowed host list.

   AllowedDomain name="mycompany3.com"

   Specifies an entire domain that WebSphere Commerce will allow redirection to. Use this element if you want to allow redirection to all hosts in a domain.

4. Propagate the changes to the WebSphere Commerce configuration file.

In the preceding example URL redirection from the Stores web module is enabled. WebSphere Commerce will allow redirection from the Stores web module to any of the following hosts:

• www.mycompany1.com

• www.mycompany2.com

• www.mycompany3.com

• myhost.mycompany3.com

• myhost2.mycompany3.com

The following hosts would be blocked by WebSphere Commerce:

• www.mycompany4.com

• myhost.mycompany1.com