Agent Guides › SAML Affiliate Agent Guide › Configure Global Settings › Handle Security Issues in Request URLs › Specify Ignored File Extensions › Secure the Ignore Extensions Feature

Secure the Ignore Extensions Feature

An unauthorized user can append a bogus resource to the end of the URL when making a request. Because not all URLs have periods, which is common with servlets—for example, /mydir/myservlet, if a user adds a bogus resource, such as /mydir/myservlet/file.gif the SAML Affiliate Agent is configured to ignore it because of the single period and the .gif extension. Consequently, the unauthorized user gains access to the resource /mydir/myservlet because the servlet engine recognizes the path to myservlet.

Be sure to consider the security and the performance issues of this situation. If you are most concerned about the security risks, you may want to leave the IgnoreExtensions element blank, but be aware of the following consequences:

• Performance may decrease because the SAML Affiliate Agent will evaluate every image URL on a page.
• Behavior of your Web site may change because users may be challenged for resources that formerly did not require authentication.