Symantec Access Management

Hi All,

I have application URL as below.

https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do 

And this application URL is protected by below Realm and Rules.

Realm:

Rule:

And I have set the policy to have access to some particular group.

So those group members can access https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do  .

So now  requirement is anything after the original URl (https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do)  should not be considered as a valid one.

Please note under /BillingWeb we have many resources like ShowAddressinfo.do, ShowAccount.do, Showinfo.do etc...

So now i need to to how to create new Realm or Rules to deny the access after https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do .

For example if anyone is trying to access "https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do?accountdetails=7rw4q78ywer " menas then it should not be valid and we need to get no access error.

Thanks,

Subash.

The IsProtected processing is Boolean in nature.  URLs are either protected or not protected and users are either authorized or not authorized.  SSO doesn't care if URLs aren't valid.  That logic falls to the application. If you set IgnoreQueryData=yes, the agent will drop the query data and only run the IsProtected request against the base file. 

Hi David,

Thank you. So just i need to set IgnoreQueryData=yes to make the URL is not Valid ?

What ever they are trying to access after ShowAddressInfo.do  we need to get error.

Thanks,

Subash

No.  You will need to code into your application to reply with an error if there is a query string.  SSO will take any URL provided and determine if it is protected and if the user is authorized.  It will not determine if the URL is actually valid for your application.

Hi David,

we need to make the code change in http.conf file ?

Thanks,

Subash

Having said that, you might try seeing if a rule will protect /*.do and /*.do?.  If these rules work, then put  /*.do? into a policy with no users.  That would deny everyone access.

You would want to make sure IgnoreQueryData=no if you try my suggestion about the /*.do and /*.do?

But Daid again am telling my requirement.

What are the resources/query which is coming after .do only should not be valid.

For example, https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do?accountNumber=700003519073&insuredName  this should be not a valid one and we need to get 403 forbbidan message.

I'm trying to help you, but your requirement seems to keep shifting.

"menas then it should not be valid and we need to get no access error"

"What ever they are trying to access after ShowAddressInfo.do  we need to get error."

"this should be not a valid one and we need to get 403 forbbidan message."

Do you specifically need a 403 forbidden message or is any access denied message ok?

Oh Sorry,

Anything is fine for me. any access denied message ok for me.

I just ran a quick test and it seems to work.

Create 1 rule that protects /*.do

Create 1 rule that protects /*.do?*

Put the rule that protects /*.do?* into an Access Denied policy and have it redirect to what ever message you want.  It won't be a 403 forbidden, but it should deny access to any URL containing a query string.

Hi David,

Please find the current configs,

Existing Realm: (I did not touched anything, still exist)

Existing Rules:(I did not touched anything, still exist)

New Rules:( I created now)

And I have added these two new Rules into one policy and i did not selected any users.

And I sent IgnoreQueryData=no

But still am seeing the same.

When am hitting https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do  am getting below page,

When am trying to access https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do?accountNumber=700003519073&insuredName=------------------------------------------------------ FATAL ERROR -------------------------------------------------------&insuredAddr1=%0a%0dAN ILLEGAL ACTION HAS BEEN PERFORMED and your account has been locked. Contact admin@whitehatsec.com immediately! &=&insuredAddr2=%0a%0dOr Telephone: xxxx-************ for assistance.%0a%0d&insuredAddr3=------------------------------------------------------ FATAL ERROR -------------------------------------------------------&riskAddr1=&riskAddr2=

Am getting 

But when am trying to access second URL i need to get Access deny page.

Please help me on this David.

Thanks,

Subash.

Can you please help me on this David.. It's bit urgent.

Since the resource you are protecting is under /BillingWeb, then the new rules need to be /BillingWeb/*.do and /BillingWeb/*.do?*.  The new rules you made will only work for resource under the root.

Your /BillingWeb/*.do?* rule should probably be setup for Deny Access as opposed to Allow Access.

Here is what your DenyAccess policy should look like.  Add all users.

Hi David,

Please find the updated rules and policy.

Here is the rule which have Deny rule,

Also please find the policy which have both Rules.

But Still am getting same page when am trying to access both URL's.

Thanks,

Subash

You need a total of 3 rules.

1.  /BillingWeb/*.do - Allow Access GET/POST - You have this one.

2. /BillingWeb/*.do?* - Deny Access GET/POST - You are missing this one

3. /BillingWeb/*.do?* - OnAccessReject.

Hi David,

It's working fine. Thank you so much for your help.

Thanks,

Subash