Web Agent Guides › Web Agent Configuration Guide › User Protection › How to Protect Resources Without Periods or Extensions

How to Protect Resources Without Periods or Extensions

Some URLs, such as servlets, do not have peroids. Other URLs may not have extensions. Both of these situations pose security risks. The following process demonstrates these risks:

1. Your environment contains a directory called /mydir/servlets that is a protected resource.
2. Your Web Agent is configured to ignore requests for resources with the .gif extension.
3. An unauthorized user appends the name of a nonexistent file along with a .gif extension to the end of the URL as shown in the following example:

   /mydir/servlets/file.gif

4. The Web Agent ignores the .gif extension and grants the unauthorized user access to the /mydir/servelets directory.

If you are most concerned about the security risks, do not allow the Agent to ignore any extensions, but consider the following consequences:

• Performance may decrease because the Web Agent will evaluate every image URL on a page.
• Behavior of your Web site may change because users may be challenged for resources that formerly did not require authentication.

The following options are available to protect URLs that do not have periods:

• Configure the Agent to use the OverrideIgnoreExtFilter feature.
• Make sure that protected resources do not have extensions that the Web Agent is configured to ignore.