Web Agent Guides › Web Agent Configuration Guide › Enforce Security with URL Monitoring

Enforce Security with URL Monitoring

This section contains the following topics:

URL Monitoring Overview

Reduce Overhead by Ignoring File Extensions of Unprotected Resources

How to Protect Resources Without Periods or Extensions

Protect Resources Without Extensions

Secure Applications

Handle Complex URIs

Specify Bad URL Characters

Specify Bad TARGET Characters

Enable Bad Form Characters

Specify Bad Query Characters

Restrict Characters Allowed in Host Names

URL Monitoring Overview

The Web Agent can prevent attacks by malicious users trying to halt normal operation of a Web site or circumvent a site’s security mechanisms to gain illegal access to information.

The Web Agent monitors URLs in resource requests and enforces the security policies for these resources. SiteMinder Web Agents interpret and parse URLs differently from the web servers where the resources reside. These differences can result in subtle performance and security issues that potentially allow unauthorized users to gain access to resources. You need to consider these issues in the design of your Web site and the configuration of the SiteMinder Web Agent.

Reduce Overhead by Ignoring File Extensions of Unprotected Resources

You can reduce SiteMinder overhead by instructing the Web Agent to ignore requests for certain types of resources with the following parameter:

IgnoreExt

Specifies the types of resources for which the Web Agent passes requests to the web server without checking SiteMinder policies.The Web Agent allows access to the items specified by this parameter even if they exist in a realm that is protected by a SiteMinder policy.

Requests for resources that meet either of the following conditions may be ignored:

• The resource ends in one of the extensions that you configure the Web Agent to ignore.
• The URI of the protected resource contains a single period (.).

  For example, if a URI for a requested resource is /my.dir/ the Web Agent passes the request directly to the web server.

Default: .class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc

Important! Use caution when setting the IgnoreExt parameter. There are some security issues that you may want to consider.

By default, the Agent does not ignore requests for resources that contain two or more periods separated by a slash (/). Web Agents handle requests for resources using the process shown in the following example:

1. The .gif extension is added to the IgnoreExt parameter. Requests for resources with the .gif extension are be ignored by the Web Agent.
2. A request is made for the following URI:

   /dir1/app.pl/file1.gif,

3. The Web Agent checks /dir1/app.pl/file1.gif against the policy server because some web servers will execute /dir1/app.pl as an application instead of serving the file1.gif resource.

   Granting access to /dir1/app.pl/file1.gif without consulting the web server may have caused a security breach.

To reduce overhead by ignoring the file extensions of unprotected resources, add the extensions of the resources you want to ignore to the value IgnoreExt parameter.