Character encoding and query string validation

When dynamic URL is enabled, WebSEAL maps the dynamic data in the query strings of requests to objects requiring protection (access control). If WebSEAL receives dynamic data (in a POST body or query string) using characters that are neither UTF-8 nor from the character set in which WebSEAL runs, WebSEAL rejects the request and returns an error.

To securely map query strings to objects, the strings need to use the same character set known to WebSEAL and the back-end application server. Otherwise, dynamic URL access control could be circumvented by a request that uses a character accepted by the back-end application, but not accepted by WebSEAL.

The dynamic URL feature is affected by the value of the decode-query stanza entry in the [server] stanza of the WebSEAL configuration file. If WebSEAL is configured to not validate query strings in requests (decode-query=no), then dynamic URL mapping for authorization checking, if enabled, must be disabled. WebSEAL will not start if this condition is not met.

If WebSEAL (with dynamic URL enabled and decode-query=yes) is running in a non-UTF-8 environment, and request POST bodies (or query strings) contain UTF-8 characters, we can use the utf8-form-support-enabled stanza entry in the [server] stanza of the WebSEAL configuration file to allow WebSEAL to decode the UTF-8 coding in these requests.

Parent topic: Access control for dynamic URLs