JSON parsing and filtering

Airlock Gateway can parse JSON (JavaScript Object Notation) objects in requests and allows filtering of JSON attributes with allow rules and deny rules. Arguments in JSON structures are treated in exactly the same way as normal HTTP parameters.

With Airlock Gateway 8.1 and later, JSON parsing configuration has become more granular. If you encounter false request blocking, follow the short instructions on how to disable JSON parsing at the end of this article.

Generation of Airlock Gateway parameters from JSON objects

For a detailed description of the JSON object syntax please refer to json.org. If parsing of a JSON object fails due to illegal syntax, a message of type WR-SG-BLOCK-109-01 (JSON syntax error message) is written to the log. The log message indicates the position of the character for which parsing failed.

Here is an example of a simple JSON object representing a user:

  "firstName": "Simon",
  "lastName": "Smith",
  "age": 25,
    { "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": "10021" },
  "phoneNumber": [
    { "type": "home", "number": "212 555-1234" },
    { "type": "fax", "number": "646 555-4567" }
  "newSubscription": false,
  "companyName": null

Airlock Gateway automatically generates flattened parameters from object attributes. Parameter names start with "#json" and attribute names are separated by hashes (#). Entries in arrays are enumerated. Parameter values are generated from the trimmed strings of the original JSON record values.

For example, the following parameters are generated from the above user object:

Parameter Name

Parameter Value








21 2nd Street


New York








212 555-1234




646 555-4567





Filtering of JSON attributes

The parameters generated from JSON objects are treated the same way as parameters from GET or POST requests. That is, JSON parameters must comply with allow and deny rule limitations.

Also, parameters generated from JSON objects can be excluded from filters, just as ordinary parameters. For instance, to exclude all phone numbers in the above object from a deny rule, add this parameter exception: ^#json#phonenumber#[[:digit:]]+#number$.

In addition every flattened parameter is counted as one parameter. This means that in this JSON example Airlock Gateway counts 13 parameters. Please check if the 'Max parameters' value in the allow rule is sufficient.

How to disable JSON parsing

On mappings, JSON parsing-related configuration options are available on different tabs. Any JSON-related Airlock Gateway feature, e.g., JSON limit enforcement, uses the JSON parser.
To ensure that JSON is not parsed perform the following steps on each related mapping:

  1. On tab Limits, switch OFF JSON Limits.
  2. On tab API Security:
    1. In section Basic Call Verification, uncheck Treat JSON objects as parameters.
    2. In section OpenAPI, uncheck Enforce API.
    3. In section GraphQL, uncheck Enable parser.
  3. On tab Advanced, choose a JSON content type regex that will not match with JSON content.