Validation of character encoding in request data

Edit online

WebSEAL parses requests to ensure that character encoding is compatible with the back-end server requirements. For example, it is possible for the query string of a request to contain character encoding, such as raw binary data, that is unacceptable to WebSEAL, and therefore rejected by WebSEAL.

The problem of invalid character encoding is also caused by the specific requirements of the back-end server application. In a typical scenario, the client makes a request to this back-end application. The request includes a query string, which is required by the back-end application, that contains character encoding unknown to WebSEAL. WebSEAL rejects the request and returns a Bad Request (400) error. The error log contains a message such as Illegal character in URL.

One solution to the problem of incorrect validation of character encoding is to configure WebSEAL to not validate the query string and POST body data of requests. The request data can then be passed unchanged to the back-end application.

To instruct WebSEAL to not validate query string and POST body data, set the value of the decode-query stanza entry in the [server] stanza of the WebSEAL configuration file to "no":

[server]
decode-query = no

The following setting is the default.

decode-query = yes

If decode-query is set to yes, WebSEAL validates the query string in requests according to the utf8-qstring-support-enabled stanza entry. See UTF-8 support in query strings. This setting applies to POST body data in requests when dynamic URL is enabled. Dynamic URL converts the POST body data in a request to query string format. See Conversion of POST body dynamic data to query string format.

If decode-query is set to yes, WebSEAL validates the POST body in requests according to the utf8-form-support-enabled stanza entry. See UTF-8 support in POST body information (forms).

If you set decode-query=no, you must understand the possible consequences to securing protected objects. In particular, if WebSEAL is configured to not validate query strings in requests (decode-query=no), then dynamic URL mapping for authorization checking, if enabled, must be disabled.

To disable the dynamic URL feature, leave the value for the dynurl-map stanza entry in the [server] stanza blank:

[server]
dynurl-map =