000014303 - AxM/ClearTrust - Protecting HTTP URLs With Query Strings

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014303
Applies ToRSA Access Manager 6.0.x
RSA ClearTrust 5.5 Authorization Server (AServer)
IssueAxM/ClearTrust - Protecting HTTP URLs With  Query Strings
Notes

Out-of-the-box this is supported however its severe limitation is that it is a strict string comparison. So the exact order, number and values of query strings need to match a resource defined in the data store. If a customer has a URI with a small set of query strings with a known set of values this can work. If the protected URI has a large number or the order/number of query strings changes per request the customer may need to look into developing custom SPI checkResourceStatus and authorize hooks to perform these tasks.

Below is a debug log for checkResourceStatus request showing how AxM ?hunts? for a protected resource based on the URI it receives from the Agent. If an exact match is not found then the AxM Authorization Server will ?hunt? for a match based on different combinations of the URI. First it will strip off the query string, then the extension, then filename with that extension, then any filename with any extension and lastly any file without an extension. I cleaned up some of the debug for readability.

08:54:19:593 [*] [MUXWORKER-4] - FunctionMapping.createObjectFromFunctionNode(): about to invoke method public java.util.Map
                                 sirrus.authserver.TCPServerAPIAdaptor.checkResourceStatus(java.util.Map,java.util.Map) on 2 args
08:54:19:625 [*] [MUXWORKER-4] - For URL String /form.asp?a=d the following protections were generated
08:54:19:625 [*] [MUXWORKER-4] - [/form.asp?a=d, /form.asp, /form.*, /*.asp, /*.*, /*]
08:54:19:640 [*] [MUXWORKER-4] - ProtectedURIGenerator.getPossibleProtections()
08:54:19:640 [*] [MUXWORKER-4] -        original URI: "/form.asp?a=d"
08:54:19:640 [*] [MUXWORKER-4] -        max number of slashes in Web server: 2
08:54:19:656 [*] [MUXWORKER-4] -        URI substring: "/form.asp?a=d"
08:54:19:656 [*] [MUXWORKER-4] -        number of possible protections: 6
08:54:19:671 [*] [MUXWORKER-4] - Hunt for "/form.asp?a=d"
08:54:19:671 [*] [MUXWORKER-4] - URI lookup set is [URL Resource: name = VM226-17, uri = /form.asp?a=b, (Tue Mar 27 08:54:03 EST 2007),
                                                    URL Resource: name = VM226-17, uri = /form.asp?a=c, (Tue Mar 27 08:54:03 EST 2007)]
08:54:19:671 [*] [MUXWORKER-4] - Hunt for "/form.asp"
08:54:19:671 [*] [MUXWORKER-4] - URI lookup set is [URL Resource: name = VM226-17, uri = /form.asp?a=b, (Tue Mar 27 08:54:03 EST 2007),
                                                    URL Resource: name = VM226-17, uri = /form.asp?a=c, (Tue Mar 27 08:54:03 EST 2007)]
08:54:19:671 [*] [MUXWORKER-4] - Hunt for "/form.*"
08:54:19:687 [*] [MUXWORKER-4] - URI lookup set is [URL Resource: name = VM226-17, uri = /form.asp?a=b, (Tue Mar 27 08:54:03 EST 2007),
                                                    URL Resource: name = VM226-17, uri = /form.asp?a=c, (Tue Mar 27 08:54:03 EST 2007)]
08:54:19:687 [*] [MUXWORKER-4] - Hunt for "/*.asp"
08:54:19:687 [*] [MUXWORKER-4] - URI lookup set is [URL Resource: name = VM226-17, uri = /form.asp?a=b, (Tue Mar 27 08:54:03 EST 2007),
                                                    URL Resource: name = VM226-17, uri = /form.asp?a=c, (Tue Mar 27 08:54:03 EST 2007)]
08:54:19:687 [*] [MUXWORKER-4] - Hunt for "/*.*"
08:54:19:687 [*] [MUXWORKER-4] - URI lookup set is [URL Resource: name = VM226-17, uri = /form.asp?a=b, (Tue Mar 27 08:54:03 EST 2007),
                                                    URL Resource: name = VM226-17, uri = /form.asp?a=c, (Tue Mar 27 08:54:03 EST 2007)]
08:54:19:687 [*] [MUXWORKER-4] - Hunt for "/*"
08:54:19:703 [*] [MUXWORKER-4] - URI lookup set is [URL Resource: name = VM226-17, uri = /form.asp?a=b, (Tue Mar 27 08:54:03 EST 2007),
                                                    URL Resource: name = VM226-17, uri = /form.asp?a=c, (Tue Mar 27 08:54:03 EST 2007)]
08:54:19:703 [*] [MUXWORKER-4] - Unprotected uri for /form.asp?a=d
08:54:19:703 [*] [MUXWORKER-4] - AuthorizationAdaptor.convertResultMap( {RETURN_CODE=UNPROTECTED_RESOURCE} ) returning 21
08:54:19:703 [*] [MUXWORKER-4] - LogEventDispatcher: current log level is 40 event's log level is 40
08:54:19:703 [*] [MUXWORKER-4] - AuthorizationAPI.checkResourceStatus( {WEB_SERVER_NAME=VM226-17, TYPE=WEB_RESOURCE, URI=/form.asp?a=d},
                                 {CLIENT_IP=10.101.226.5, CLIENT_VERSION=7, CLIENT_PORT=4076, USER_GROUPS_ENABLED=false, TOKENS_ENABLED=false, USER_PROPERTIES_ENABLED=false} )
                                 returning {RETURN_CODE=UNPROTECTED_RESOURCE}
08:54:19:718 [*] [MUXWORKER-4] - TCPServerAPIAdaptor.checkResourceStatus( {WEB_SERVER_NAME=VM226-17, TYPE=WEB_RESOURCE, URI=/form.asp?a=d},
                                 {CLIENT_IP=10.101.226.5, groups=false, CLIENT_VERSION=7, props=false, CLIENT_PORT=4076, tokens=false} )
                                 returning {RETURN_CODE=UNPROTECTED_RESOURCE}
08:54:19:718 [*] [MUXWORKER-4] -        result: {RETURN_CODE=UNPROTECTED_RESOURCE}
08:54:19:718 [*] [MUXWORKER-4] - SEND MSG: DATA_MSG
08:54:19:718 [*] [MUXWORKER-4] - Removing MuxStreamBundle

 

Legacy Article IDa43932

Attachments

    Outcomes