000020850 - Why don't we have full regular expressions in URLs for protection?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020850
Applies ToRSA ClearTrust 4.6.1
URL
Web Server
IssueWhy don't we have full regular expressions in URLs for protection?
ResolutionIt is a common assumption that when you start the system, you should be able to make a protected URL like:
/something/*.pdf

and it will protect all of the pdf files in /something. This is incorrect.
The problem here is choosing which URL matches the given full URI string. If you had the above protection, and another url like:

/something/*

when you receive a request in the auth server to check permissions on the file /something/abc.pdf, you don't know which of the two protected url strings it matches, and therefore, which policy rules to choose for allowing or denying access.
What the auth server actually supports is uri strings like:

/foo/*

Then, when a request comes in for /foo/index.html, we first look for the policy rule entries for urls strings in the following order:
/foo/index.html
/foo/*
/*

If there are no entries for any of these, we give up and say "unprotected resource".
Legacy Article IDa6970

Attachments

    Outcomes