Enable URL redirect filtering

When we enable URL redirect filtering, WebSphere Commerce rejects any requests that try to redirect to an unauthorized site. This feature is used to prevent phishing attacks where a link in a WebSphere Commerce site sends the shopper to another site. Examples of URL redirection include:

• URL parameter in a URL command

• reLogonURL in Logon URL command

• URLs defined as click actions in the Marketing Tool. For example, select * from collateral where URL like 'http%'

Procedure

1. Open the WebSphere Commerce configuration file.

2. Locate the web module where we want to enable this feature. For example, to enable this feature for the Stores web module, modify the following section:

   <Module contextPath="/webapp/wcs/stores"
   	fileServletEnabled="false" name="Stores"
   	urlMappingPath="/servlet" webAlias="/wcsstore">
   	<InitParameters adapters="XML/HTTP, BrowserAdapter" 
   	contextSetName="Store" handleDoubleClick="true"/>
   </Module>

   Note: To enable this feature for store preview, modify the module context path as followed: Module contextPath="/webapp/wcs/preview".

3. Add a URLRedirectFilter element in the Module element as shown in the following example:

   <Module contextPath="/webapp/wcs/stores" 
   	fileServletEnabled="false" name="Stores"
   	urlMappingPath="/servlet" webAlias="/wcsstore">
   	<InitParameters adapters="XML/HTTP, BrowserAdapter" 
   	contextSetName="Store" handleDoubleClick="true"/>
   	<URLRedirectFilter enable="true">
   	<AllowedHost name="www.mycompany1.com"/>
   	<AllowedHost name="www.mycompany2.com"/>
   	<AllowedDomain name="mycompany3.com"/>
   	</URLRedirectFilter>
   </Module>

   The usage of these elements is described in the following list:

   URLRedirectFilter enable="true"

   Specifies whether cross-site scripting protection is enabled. Possible values are true or false.

   AllowedHost hostname="www.mycompany1.com"

   Specifies a hostname that WebSphere Commerce allows redirection to. By default, if this feature is enabled, the Web server hostname that is configured for the WebSphere Commerce instance is added to the allowed host list.

   AllowedDomain name="mycompany3.com"

   Specifies an entire domain that WebSphere Commerce allows redirection to. Use this element to allow redirection to all hosts in a domain.

Example

In the preceding example URL redirection from the Stores web module is enabled. WebSphere Commerce allows redirection from the Stores web module to any of the following hosts:

• www.mycompany1.com

• www.mycompany2.com

• www.mycompany3.com

• myhost.mycompany3.com

• myhost2.mycompany3.com

The following hosts would be blocked by WebSphere Commerce:

• www.mycompany4.com

• myhost.mycompany1.com

What to do next

Package our changes to the WebSphere Commerce configuration file for deployment.