Chapter 16: Control Inbound URL Processing
This section contains the following topics:
Decode Query Data in a URL (see page 197) Ignore Query Data in a URL (see page 198)
Query String Encryption of Redirect URLs (see page 199) Allow Un-restricted Access to URIs (see page 202) Set a Maximum URL Size (see page 203)
Decode Query Data in a URL
To have the Web Agent’s Base64 algorithm decode a URL’s query data before calling the Policy Server (so the Policy Server sees the proper resource), use the following
parameter:
DecodeQueryData
Specifies whether the Web Agent decodes the query data in a URL before calling the Policy Server. Set this parameter to yes if you need do any of the following tasks in your environment:
■ If you need to ensure the rules filer acts against the proper string.
■ If you need to or write rules against the data in a query string.
Default: No
To have the Web Agent decode the query data in a URL before calling the Policy Server, set the value of the DecodeQueryData parameter to yes.
198 Web Agent Guide
Ignore Query Data in a URL
The IgnoreQueryData parameter affects the way Web Agents treat URLs. If you do not want the Web Agent cache the entire URL and send the URIs with their query strings to the Policy Server for rule processing, you improve performance with the following parameter:
IgnoreQueryData
Specifies whether the Web Agent will cache the entire URL (including the query strings) and send the entire URI to the Policy Server for rule processing. A full URL string contains a URI, a hook (?), and some query data, as shown in the following example:
URI?query_data
URLs that have been the subjects of requests are cached by default.
Subsequent requests search the cache for a match. If requests for the same URI contain different query data, the match fails. Ignoring the query data improves performance.
When the IgnoreQueryData parameter is set to yes, the following occurs:
■ The URL is truncated at the hook. Only the URI is cached and sent to the Policy Server. The query data is maintained elsewhere, for the purpose of maintaining the proper state for redirects.
■ Only the part before the hook is sent to the Policy Server for rule processing.
■ Both URIs in the following example are handled as the same resource:
/myapp?data=1 /myapp?data=2
When the IgnoreQueryData parameter is set to no, the following occurs:
■ The entire URL is cached.
■ The entire URI is sent to the Policy Server for rule processing.
■ The URIs in the following example are handled as different resources:
/myapp?data=1 /myapp?data=2 Default: No
To have the Web Agent send only URIs to the Policy Server for processing, set the value of the IgnoreQueryData parameter to yes.
Important! Do not enable this setting if you have policies which depend on URL query data.
Query String Encryption of Redirect URLs
Chapter 16: Control Inbound URL Processing 199
Query String Encryption of Redirect URLs
When a Web Agent communicates with credential collectors, such as the FCC and SCC, the Password Services application (CGI or JSP), or a Cookie Provider, it uses protocol parameters that are shown in clear text in the redirection URL.
The Web Agent can now encrypt all SiteMinder query parameters in a redirect URL, further securing Agent interactions.The Web Agent is only encrypts data sent between SiteMinder components, not for redirects to non-SiteMinder applications.
When query string encryption is enabled, the Web Agent encrypts query data when it returns a 302 redirect response to the browser. The 302 response redirects the user to another SiteMinder resource.
All the query parameters are grouped into a single query parameter called
smquerydata. When the SecureUrls parameter is enabled, SiteMinder denies access to any request that does not have an encrypted smquerydata parameter, where required.
The SecureUrls feature is not supported when any of the following parameters are enabled:
FCCCompatMode
Enable an FCC/NTC to serve up forms for resources protected by 4.x Web Agents or third party applications.
Note: SMUSRMSG is supported for the custom authentication scheme only when FCCCompatMode set to yes.
Default: (traditional agents) Yes Default: (framework agents) No
Important! Setting this parameter to no removes support for version 4.x of the Netscape browser.
LegacyEncoding
Forces the Web Agent to replace any dollar sign ($) characters in legacy URLs with a hyphen (-). This also ensures backwards comparability with MSR, Password Services, and DMS. When this parameter is set to no, a Web Agent converts the string $SM$ to -SM-. When this parameter is set to yes, the Web Agent does not convert the dollar sign ($) character.
Default: (Framework Agents) No Default: (Traditional Agents) Yes
If the SecureUrls parameter is set to yes, the Web Agent ignores the values of the previous parameters, even if they are set to yes. When this happens, these parameters have a value of no in the Agent logs, regardless of their settings in the configuration object or configuration file, as shown in the following example:
[12/Jul/2005:05:23:57-975-1-0] SecureUrls: 'YES'
200 Web Agent Guide
[12/Jul/2005:05:23:57-975-1-0] FccCompatMode: 'NO' [12/Jul/2005:05:23:57-975-1-0] LegacyEncoding: 'NO'
Query String Encryption of Redirect URLs and Credential Collectors [1]
When you encrypt the query strings of redirect URLs use credential collectors, the credential collectors provide the keys used to encrypt the query data.
For forms authentication schemes, the query string directive, smquerydata, is part of the FCC template. The Web Agent serving the FCC uses this directive to send the encrypted query data to the target Web Agent when the FCC is posted.
The following directive is used:
<INPUT type='hidden' name='smquerydata' value='$$smquerydata$$'>
Note: If you are using custom FCCs, you must add the smquerydata directive along with other FCC directives, such as TARGET to the custom FCC.
6.x QMR 5 Web Agents with the SecureUrls parameter enabled can operate only with credential collectors served from other Web Agents that support this functionality, which was introduced at 5.x QMR 7.
Query String Encryption of Redirect URLs and FCC-based Password Services
If you want to encrypt the query strings of redirect URLs, you can only use the FCC-based Password Services; CGI or JSP-based Password Services will not work with encrypted query parameters. If you set the SecureUrls parameter to no, you can use any one of the three Password Services versions.
Note: CGI and JSP Password Services are deprecated as of 5.x QMR 7, but are still supported.