Request Validation policy
The request validation policy is used to validate the incoming HTTP request according to given rules. A rule is defined for an input value. This input value supports EL expression and is validated against constraint rules.
Constraint rules can be:
-
NOT_NULL: Input value is required. -
MIN: Input value is a number and its value is greater or equals to a given parameter. -
MAX: Input value is a number and its value is lower or equals to a given parameter. -
MAIL: Input value is valid according to the mail pattern. -
DATE: Input value is valid according to the date format pattern given as a parameter. The input must match the SimpleDateFormat specified in the parameters. -
PATTERN: Input value is valid according to the pattern given as a parameter. -
SIZE: Input value length is between two given parameters. -
ENUM: Field value included in ENUM. The input must match one of the case-sensitive strings specified in the parameters.
By default, if one of the rule can not be validated, the policy returns a 400 status code.
Timing
| On Request | On Response | On Request Content | On Response Content |
|---|---|---|---|
| X | X |
Configuration
| Property | Required | Description | Type | Default |
|---|---|---|---|---|
scope | yes | Phase when the policy is executed | policy scope | ON_REQUEST |
status | yes | HTTP Status Code send to the consumer in case of validation issues. | HTTP status code | 400 |
rules | yes | Rules to apply to incoming request | List of rules |
Examples
Validate a path segment
The following example validates that the third path segment of the request URL ends with .txt. If the value does not match the pattern, the policy returns a 400 status.
"policy-request-validation": {
"rules": [
{
"constraint": {
"parameters": [
".*\\.(txt)$"
],
"type": "PATTERN"
},
"input": "{#request.pathInfos[2]}"
}
],
"status": "400"
}
Validate a required header
The following example validates that the X-Correlation-ID header is present in the request. If the header is missing or null, the policy returns a 400 status.
"policy-request-validation": {
"rules": [
{
"constraint": {
"type": "NOT_NULL"
},
"input": "{#request.headers['X-Correlation-ID']}"
}
],
"status": "400"
}
Validate a query parameter value
The following example validates that the status query parameter is one of the accepted values: active, inactive, or pending. The match is case-sensitive. If the value is not in the list, the policy returns a 400 status.
"policy-request-validation": {
"rules": [
{
"constraint": {
"parameters": [
"active",
"inactive",
"pending"
],
"type": "ENUM"
},
"input": "{#request.params['status']}"
}
],
"status": "400"
}
Validate a header value length
The following example validates that the value of the X-Custom-Header header is between 1 and 50 characters. If the value is outside this range, the policy returns a 400 status.
"policy-request-validation": {
"rules": [
{
"constraint": {
"parameters": [
"1",
"50"
],
"type": "SIZE"
},
"input": "{#request.headers['X-Custom-Header']}"
}
],
"status": "400"
}
The input field supports Expression Language (EL). You can reference request headers, query parameters, path segments, and more. Refer to Expression Language request for a full list of available attributes.
HTTP Status Code
| Code | Message |
|---|---|
400 | Incoming HTTP request can not be validated. |