000016095 - AxM Agents: What is the precedence of Agent inclusion and exclusion lists?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016095
Applies ToRSA Access Manager 4.8 Agent
IssueAxM Agents: What is the precedence of Agent inclusion and exclusion lists?
Agent log file shows the following:
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - URI: /protected/excluded/test.html
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - Comparing URIs /protected/excluded/* == /protected/excluded/test.html
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - Comparing extensions gif == html
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - Comparing extensions jpg == html
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - Matched exclusion URI/extension - access implicitly allowed
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - Full URI: /protected/excluded/test.html
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - ... returning: CT_AUTH_URL_ACCESS_ALLOWED, request handled: TRUE
2011-01-10 13:12:09 -0800 - [3612] - <Info> - [NotifySendResponse]
2011-01-10 13:12:09 -0800 - [3612] - <Debug> - Response: 200
Resolution
  • The Agent exclusion list is checked first.  If the URL matches the exclusion list then the resource is immediately served.  The inclusion list is not checked.  The aserver is not contacted.
  • The Agent inclusion list is checked next.  If the inclusion list is populated AND if the URL matches the inclusion list then the aserver is contacted to see if the resource has an entitlement.  The resource is served or not served based on the success of this check.
  • If the inclusion list is populated and if the URL does not match the inclusion list then the URL is immediately served.  The aserver is not contacted.
Workaroundcleartrust.agent.url_inclusion_list= is set to some value
NotesNote: The inclusion list must be used with caution.  Since only resources on this list are subject to checks for entitlement all other URL's not on this list are served regardless of any entitlements defined on the eserver.
Legacy Article IDa53526

Attachments

    Outcomes