Symantec Access Management

 View Only
Expand all | Collapse all

Protecting Application URL

  • 1.  Protecting Application URL

    Posted Sep 04, 2018 08:54 AM

    Hi All,

     

    I have application URL as below.

     

    https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do 

     

    And this application URL is protected by below Realm and Rules.

    Realm:

     

    Rule:

    And I have set the policy to have access to some particular group.

    So those group members can access https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do  .

     

    So now  requirement is anything after the original URl (https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do should not be considered as a valid one.

     

    Please note under /BillingWeb we have many resources like ShowAddressinfo.do, ShowAccount.do, Showinfo.do etc...

     

    So now i need to to how to create new Realm or Rules to deny the access after https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do .

     

    For example if anyone is trying to access "https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do?accountdetails=7rw4q78ywer " menas then it should not be valid and we need to get no access error.

     

    Thanks,

    Subash.



  • 2.  Re: Protecting Application URL

    Posted Sep 04, 2018 09:14 AM

    The IsProtected processing is Boolean in nature.  URLs are either protected or not protected and users are either authorized or not authorized.  SSO doesn't care if URLs aren't valid.  That logic falls to the application. If you set IgnoreQueryData=yes, the agent will drop the query data and only run the IsProtected request against the base file. 



  • 3.  Re: Protecting Application URL

    Posted Sep 04, 2018 09:34 AM

    Hi David,

     

    Thank you. So just i need to set IgnoreQueryData=yes to make the URL is not Valid ?

     

    What ever they are trying to access after ShowAddressInfo.do  we need to get error.

     

    Thanks,

    Subash



  • 4.  Re: Protecting Application URL

    Posted Sep 04, 2018 09:41 AM

    No.  You will need to code into your application to reply with an error if there is a query string.  SSO will take any URL provided and determine if it is protected and if the user is authorized.  It will not determine if the URL is actually valid for your application.



  • 5.  Re: Protecting Application URL

    Posted Sep 04, 2018 09:48 AM

    Hi David,

     

    we need to make the code change in http.conf file ?

     

    Thanks,

    Subash



  • 6.  Re: Protecting Application URL

    Posted Sep 04, 2018 09:52 AM

    Having said that, you might try seeing if a rule will protect /*.do and /*.do?.  If these rules work, then put  /*.do? into a policy with no users.  That would deny everyone access.



  • 7.  Re: Protecting Application URL

    Posted Sep 04, 2018 09:54 AM

    You would want to make sure IgnoreQueryData=no if you try my suggestion about the /*.do and /*.do?



  • 8.  Re: Protecting Application URL

    Posted Sep 04, 2018 10:00 AM

    But Daid again am telling my requirement.

     

    What are the resources/query which is coming after .do only should not be valid.

     

    For example, https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do?accountNumber=700003519073&insuredName  this should be not a valid one and we need to get 403 forbbidan message.



  • 9.  Re: Protecting Application URL

    Posted Sep 04, 2018 10:09 AM

    I'm trying to help you, but your requirement seems to keep shifting.

     

    "menas then it should not be valid and we need to get no access error"

    "What ever they are trying to access after ShowAddressInfo.do  we need to get error."

    "this should be not a valid one and we need to get 403 forbbidan message."

     

    Do you specifically need a 403 forbidden message or is any access denied message ok?



  • 10.  Re: Protecting Application URL

    Posted Sep 04, 2018 10:14 AM

    Oh Sorry,

     

    Anything is fine for me. any access denied message ok for me.



  • 11.  Re: Protecting Application URL

    Posted Sep 04, 2018 10:39 AM

    I just ran a quick test and it seems to work.

     

    Create 1 rule that protects /*.do

    Create 1 rule that protects /*.do?*

     

    Put the rule that protects /*.do?* into an Access Denied policy and have it redirect to what ever message you want.  It won't be a 403 forbidden, but it should deny access to any URL containing a query string.



  • 12.  Re: Protecting Application URL

    Posted Sep 04, 2018 11:04 AM

    Hi David,

     

    Please find the current configs,

     

    Existing Realm: (I did not touched anything, still exist)

     

    Existing Rules:(I did not touched anything, still exist)

     

    New Rules:( I created now)

     

    And I have added these two new Rules into one policy and i did not selected any users.

    And I sent IgnoreQueryData=no

     

    But still am seeing the same.

     

    When am hitting https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do  am getting below page,

     

     

    When am trying to access https://dev-billinginquiry.lmig.com/BillingWeb/ShowAddressInfo.do?accountNumber=700003519073&insuredName=------------------------------------------------------ FATAL ERROR -------------------------------------------------------&insuredAddr1=%0a%0dAN ILLEGAL ACTION HAS BEEN PERFORMED and your account has been locked. Contact admin@whitehatsec.com immediately! &=&insuredAddr2=%0a%0dOr Telephone: xxxx-************ for assistance.%0a%0d&insuredAddr3=------------------------------------------------------ FATAL ERROR -------------------------------------------------------&riskAddr1=&riskAddr2=

     

    Am getting 

    But when am trying to access second URL i need to get Access deny page.

     

    Please help me on this David.

     

    Thanks,

    Subash.



  • 13.  Re: Protecting Application URL

    Posted Sep 04, 2018 11:46 AM

    Can you please help me on this David.. It's bit urgent.



  • 14.  Re: Protecting Application URL

    Posted Sep 04, 2018 12:03 PM

    Since the resource you are protecting is under /BillingWeb, then the new rules need to be /BillingWeb/*.do and /BillingWeb/*.do?*.  The new rules you made will only work for resource under the root.



  • 15.  Re: Protecting Application URL

    Posted Sep 04, 2018 12:05 PM

    Your /BillingWeb/*.do?* rule should probably be setup for Deny Access as opposed to Allow Access.



  • 16.  Re: Protecting Application URL

    Posted Sep 04, 2018 12:22 PM

    Here is what your DenyAccess policy should look like.  Add all users.

    DenyAccess Policy



  • 17.  Re: Protecting Application URL

    Posted Sep 04, 2018 12:55 PM

    Hi David,

     

    Please find the updated rules and policy.

     

     

    Here is the rule which have Deny rule,

     

     

    Also please find the policy which have both Rules.

     

    But Still am getting same page when am trying to access both URL's.

     

    Thanks,

    Subash



  • 18.  Re: Protecting Application URL
    Best Answer

    Posted Sep 04, 2018 02:07 PM

    You need a total of 3 rules.

     

    1.  /BillingWeb/*.do - Allow Access GET/POST - You have this one.

    2. /BillingWeb/*.do?* - Deny Access GET/POST - You are missing this one

    3. /BillingWeb/*.do?* - OnAccessReject.



  • 19.  Re: Protecting Application URL

    Posted Sep 04, 2018 02:15 PM

    Hi David,

     

    It's working fine. Thank you so much for your help.

     

    Thanks,

    Subash