Validation of character encoding in request data

WebSEAL parses requests to ensure that character encoding is compatible with the back-end server requirements. For example, it is possible for the query string of a request to contain character encoding, such as raw binary data, that is unacceptable to WebSEAL, and therefore rejected by WebSEAL.

The problem of invalid character encoding is also caused by the specific requirements of the back-end server application. In a typical scenario, the client makes a request to this back-end application. The request includes a query string, which is required by the back-end application, that contains character encoding unknown to WebSEAL. WebSEAL rejects the request and returns a Bad Request (400) error. The error log contains a message such as Illegal character in URL.

One solution to the problem of incorrect validation of character encoding is to configure WebSEAL to not validate the query string and POST body data of requests. The request data can then be passed unchanged to the back-end application.

To instruct WebSEAL to not validate query string and POST body data, set the value of the decode-query stanza entry in the [server] stanza of the WebSEAL configuration file to "no":

[server]
decode-query = no

The following setting is the default.

decode-query = yes

If decode-query is set to yes, WebSEAL validates the query string in requests according to the utf8-qstring-support-enabled stanza entry. See UTF-8 support in query strings. This setting applies to POST body data in requests when dynamic URL is enabled. Dynamic URL converts the POST body data in a request to query string format. See Conversion of POST body dynamic data to query string format.

If decode-query is set to yes, WebSEAL validates the POST body in requests according to the utf8-form-support-enabled stanza entry. See UTF-8 support in POST body information (forms).

If you set decode-query=no, you must understand the possible consequences to securing protected objects. In particular, if WebSEAL is configured to not validate query strings in requests (decode-query=no), then dynamic URL mapping for authorization checking, if enabled, must be disabled.

To disable the dynamic URL feature, comment out the dynurl-map stanza entry in the [server] stanza of the WebSEAL configuration file:

[server]
#dynurl-map = bin/dynurl.conf
Parent topic: Web server configuration
Related concepts:
Content caching
Communication protocol configuration
IPv4 and IPv6 overview
IPv6: Compatibility support
IP levels for credential attributes
LDAP directory server configuration
WebSEAL worker thread configuration
WebSEAL worker threads
Global allocation of worker threads for junctions
Per-junction allocation of worker threads for junctions
HTTP data compression
WebSEAL data handling by using UTF-8
UTF-8 dependency on user registry configuration
UTF-8 data conversion issues
UTF-8 impact on authentication
UTF-8 impact on authorization (dynamic URL)
Encoding type usage
UTF-8 support for uniform resource locators
UTF-8 support in POST body information (forms)
UTF-8 support in query strings
UTF-8 encoding of tokens for cross domain single signon
UTF-8 encoding of tokens for e-community single signon
UTF-8 encoding of cookies for failover authentication
UTF-8 encoding of cookies for LTPA authentication
UTF-8 encoding in junction requests
Setting system environment variables
Related tasks:
Specifying the WebSEAL host name
Modifying the configuration file settings
Configuring WebSEAL for IPv6 and IPv4 requests
Related reference:
IPv6: Upgrade notes
Allocation view of worker threads for junctions
Supported wildcard pattern matching characters