Web Agent Guides › Web Agent Configuration Guide › SSO Security Zones › Ignore Unprotected Resources

Ignore Unprotected Resources

You can improve the performance of CA SiteMinder® by ignoring requests for resources that you do not want to protect. The following parameters are available:

• Reduce overhead by ignoring certain file extensions.
• Specify which virtual servers the agent ignores.
• Ignore query data in URLs.
• Allow unrestricted access to URIs.

Reduce Overhead by Ignoring File Extensions of Unprotected Resources

You can reduce CA SiteMinder® overhead by instructing the Web Agent to ignore requests for certain types of resources with the following parameter:

IgnoreExt

Specifies the types of resources for which the Web Agent passes requests to the web server without checking CA SiteMinder® policies.The Web Agent allows access to the items specified by this parameter even if they exist in a realm that is protected by a CA SiteMinder® policy.

Requests for resources that meet either of the following conditions may be ignored:

• The resource ends in one of the extensions that you configure the Web Agent to ignore.
• The URI of the protected resource contains a single period (.).

  For example, if a URI for a requested resource is /my.dir/ the Web Agent passes the request directly to the web server.

Default: .class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc

Important! Use caution when setting the IgnoreExt parameter. There are some security issues that you may want to consider.

By default, the Agent does not ignore requests for resources that contain two or more periods separated by a slash (/). Web Agents handle requests for resources using the process shown in the following example:

1. The .gif extension is added to the IgnoreExt parameter. Requests for resources with the .gif extension are be ignored by the Web Agent.
2. A request is made for the following URI:

   /dir1/app.pl/file1.gif,

3. The Web Agent checks /dir1/app.pl/file1.gif against the policy server because some web servers will execute /dir1/app.pl as an application instead of serving the file1.gif resource.

   Granting access to /dir1/app.pl/file1.gif without consulting the web server may have caused a security breach.

To reduce overhead by ignoring the file extensions of unprotected resources, add the extensions of the resources you want to ignore to the value IgnoreExt parameter.

Specify Virtual Servers for the Web Agent to Ignore

If a web server at your site supports several virtual servers, there may be resources on these virtual servers that you do not want to protect with the Web Agent. To simplify how the Web Agent distinguishes which portions of a web server's content it protects, use the following parameter:

IgnoreHost

Specifies the fully qualified domain names of any virtual servers that you want the web Agent to ignore. Resources on such virtual servers will be auto-authorized, and the Web Agent always grants access to them regardless of which client makes the request. The authorization decision is based on the configuration of the Web Agent instead of being based on a policy.

The list of ignored hosts is checked first before any other auto-authorization checks, such as the IgnoreExt and IgnoreURL settings. Therefore, the double-dot rule will not trigger an authorization call to the Policy Server for resources on an ignored host but would not be ignored by extension.

The host portion of the URL entries for the IgnoreHost parameter must exactly match what the Web Agent reads for the host header of the requested resource.

Note: This value is case-sensitive.

If the URL uses a specific port, then the port must specified.

For centrally-managed agents, use a multi-value parameter in the Agent Configuration Object to represent several servers. For agents configured with a local configuration file, list each host on a separate line in the file.

Example: (URL shown with port specified)

IgnoreHost="myserver.example.org:8080"

Example: (local configuration file)

IgnoreHost="my.host.com"

IgnoreHost="your.host.com"

Default: No default

To specify virtual servers for the Web Agent to Ignore, do either of the following tasks:

• For central configuration, add the servers you want to ignore to your agent configuration object. For more than one server, use the multi-value setting for the parameter.
• For local configuration, add a separate line for each server in the local configuration file.

Resources using the specified URLs are ignored by the Web Agent and access to those resources is granted automatically.

More Information

Handle Complex URIs

Ignore Query Data in a URL

The IgnoreQueryData parameter affects the way Web Agents treat URLs. If you do not want the Web Agent cache the entire URL and send the URIs with their query strings to the Policy Server for rule processing, you improve performance with the following parameter:

IgnoreQueryData

Specifies whether the Web Agent will cache the entire URL (including the query strings) and send the entire URI to the Policy Server for rule processing. A full URL string contains a URI, a hook (?), and some query data, as shown in the following example:

URI?query_data

URLs that have been the subjects of requests are cached by default. Subsequent requests search the cache for a match. If requests for the same URI contain different query data, the match fails. Ignoring the query data improves performance.

When the IgnoreQueryData parameter is set to yes, the following occurs:

• The URL is truncated at the hook. Only the URI is cached and sent to the Policy Server. The query data is maintained elsewhere, for the purpose of maintaining the proper state for redirects.
• Only the part before the hook is sent to the Policy Server for rule processing.
• Both URIs in the following example are handled as the same resource:

  /myapp?data=1

  /myapp?data=2

When the IgnoreQueryData parameter is set to no, the following occurs:

• The entire URL is cached.
• The entire URI is sent to the Policy Server for rule processing.
• The URIs in the following example are handled as different resources:

  /myapp?data=1

  /myapp?data=2

Default: No

To have the Web Agent send only URIs to the Policy Server for processing, set the value of the IgnoreQueryData parameter to yes.

Important! Do not enable this setting if you have policies which depend on URL query data.

Allow Un-restricted Access to URIs

If you have URIs that you do not want to protect with CA SiteMinder®, you can direct the Web Agent to ignore and allow un-restricted access to those URIs by setting the following parameter:

IgnoreUrl

Specifies a URI within a URL that will not be protected. Users attempting to access the resource associated with the URI will not be challenged. The Web Agent ignores the URI portion of the string after three forward slashes. For example, if you set this parameter to the following value:

http://www.example.com/directory

The Web Agent ignores the following URI:

directory

The Web Agent ignores the specified URI wherever it occurs, even if it is under a different domain. For example, the Web Agent ignores the URI shown previously in all of the following URLs:

http://www.example.com/directory
http://www.example.net/directory
http://www.example.org/directory

Note: This value is case-sensitive.

Default: No default.

Example: (multiple URIs in local configuration file)

IgnoreUrl="http://www.example.com/directory"

IgnoreUrl="http://www.example.com/directory2"

Example: (using a URI only, without specifying a domain)

IgnoreUrl="/resource/"

To allow un-restricted access to URIs, do either of the following tasks:

• For central configuration, add the fully qualified domain names with the URIs that you want to ignore to your agent configuration object. For more than one URI, use the multi-value setting for the parameter.
• For local configuration, add a separate line for each fully qualified domain name and URI in the local configuration file.

Resources using the specified URIs are ignored by the Web Agent and access to those resources is granted automatically.