000014583 - How to exclude files based on a regular expression in RSA Access Manager Agents

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014583
Applies ToRSA Access Manager 4.8 Agent
IssueHow to exclude files based on a regular expression in RSA Access Manager Agents
CauseThe cleartrust.agent.url_exclusion_list= does not support regular expressions.  You can only exclude specific directories or files in the URL exclusion list.
Resolution

The rules.xml file can be used to exclude resources based on a URL that matches a regular expression.  To exclude URL's using the rules.xml file you must create a rule with an argument type of "URI" and with an expression argument that contains a regular expression that matches the URL you wish to exclude.  The action type for the rule should be of type "HTTP" with an argument to return the http result "200" for any URL that matches the rule.  This will cause the RSA Access Manager Agent to abandon processing of any URL that matches the expression and issue the http request immediately. 

An example of a rule that allows access to any aspx pages in any directory or sub directory under the home directory:

  <Rule>
        <argument type="URI" expression=" ^/home/*\.aspx"/>
        <action type="HTTP" argument="200"/>
    </Rule>

Notes

WARNING:  The regular expression engine is very powerful.  Ensure that the regular expression you create is carefully crafted only to exclude only he desired resources.  It is very easy to unintentionally create a regular expression that matches resources you do not intend to exclude.  The regular expression is not a URL, it is a substring that may match an part of the URL. 

For example the rule <argument type="URI" expression="home"/> would match

/home/user1/index.html

but it also matches

/root/homepathy/secret.html


The Access Manager agent parses the incoming URL into a URI and a querystring component before applying rules.  If you wish to match the incoming URL based on the querystring portion of the URL then you should use a rule with an argument type of "querystring". 

For example the rule <argument type="querystring" expression="home"/> would match

/root/bin/getdir.aspx?value=home

or

/root/bin/getinfo.aspx?home=Idaho

Legacy Article IDa44955

Attachments

    Outcomes