CA SPS - ProxyRules Query

book

Article ID: 195708

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Please help me with my queries on CA SPS proxyrules. I've already read the documentation but I still have queries whether the below is supported or not.

1. Can I include URI check within a HEADER check? 
<nete:proxyrules debug="yes" xmlns:nete="http://www.ca.com/">
<nete:cond type="host" criteria="equals">
    <nete:case value="abc.myhost.com">
        <nete:cond type="header" headername="HTTP_SM_Header">
            <nete:case value="1">
                <nete:cond type="uri" criteria="beginswith">
                    <nete:case value="api">
                        <nete:forward>http://google.com$0</nete:forward>
                    </nete:case>
                    <nete:case value="admin">
                        <nete:forward>http://google.com$0</nete:forward>
                    </nete:case>
                    <nete:default>
                        <nete:forward>http://yahoo.com$0</nete:forward>
                    </nete:default>
                </nete:cond>
            </nete:case>
            <nete:default>
                <nete:cond type="uri" criteria="beginswith">
                    <nete:case value="api">
                        <nete:forward>http://google.com$0</nete:forward>
                    </nete:case>
                    <nete:case value="admin">
                        <nete:forward>http://google.com$0</nete:forward>
                    </nete:case>
                    <nete:default>
                        <nete:forward>http://bing.com$0</nete:forward>
                    </nete:default>
                </nete:cond>
            </nete:default>
  </nete:cond>
 </nete:case>
 <nete:default>
        <nete:forward>http://cnn.com</nete:forward>
    </nete:default>
</nete:cond>
</nete:proxyrules>

2. Can I make two header checks sequentially?

<nete:proxyrules debug="yes" xmlns:nete="http://www.ca.com/">
<nete:cond type="host" criteria="equals">
    <nete:case value="abc.myhost.com">
        <nete:cond type="header" headername="HTTP_APP_ABC">
            <nete:case value="1">
    <nete:cond type="header" headername="HTTP_SM_XYZ">
     <nete:case value="1">
      <nete:forward>http://google.com$0</nete:forward>
     </nete:case>
     <nete:default>
      <nete:forward>http://yahoo.com$0</nete:forward>
     </nete:default>
    </nete:cond>
   <nete:default>
    <nete:forward>http://yahoo.com$0</nete:forward>
   </nete:default>
  </nete:cond>
 </nete:case>
 <nete:default>
        <nete:forward>http://cnn.com</nete:forward>
    </nete:default>
</nete:cond>
</nete:proxyrules>


Thanks in advance.

Environment

Release : 12.5

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Please note that this is ending on an implementation question. Implementation is normally within the realm of Services, not support.

For 1, I cannot see a reason for why this is not allowed by the dtd, but you would need to test to make sure it works.

For 2, I not quite sure what you are trying to do here. Is the logic:

If host = abc.myhost.com:
If HTTP_APP_ABC=1 and HTTP_SM_XYZ=1 then forward to http://google.com$0
Else forward to http://yahoo.com$0
Else forward to http://cnn.com

If so then something like the following should do this:

<nete:cond type="host" criteria="equals">
<nete:case value="abc.host.com">
    <nete:cond type="header" headername="HTTP_APP_ABC">
      <nete:case value="1">
        <nete:cond type="header" headername="HTTP_SM_Header">
          <nete:case value="1">
            <nete:forward>http://google.com$0</nete:forward>
          </nete:case>
          <nete:default>
            <nete:forward>http://yahoo.com$0</nete:forward>
          </nete:default>
        </nete:cond>
      </nete:case>
      <nete:default>
        <nete:forward>http://yahoo.com$0</nete:forward>
      </nete:default>
    </nete:cond>
  </nete:case>
  <nete:default>
    <nete:forward>http://cnn.com</nete:forward>
  </nete:default>
</nete:cond>