Web Agent Ajax pattern wildcards within protected resources

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

When running Web Agent, when an Ajax application makes a HTTP call to
/rocfm/fm/commonService resource, the Web Agent redirect the request
to the Credential Collector :

  [10/07/2021][10:41:44][12679][473929472][CSmLowLevelAgent.cpp:510]
  [IsResourceProtected][0000000000000000000000007a100d0a-3187-615ec0d8-1c3f9700-afd937c93a27]
  [*10.0.0.1][][myWebAgent][/myApp/mypage/page][] [Resource is protected from cache.]

  [10/07/2021][10:41:44][22207][526378752][CSmHttpCredCore.cpp:1997]
  [CSmHttpCredCore::DoFormsChallenge][0000000000000000000000007a100d0a-56bf-615ec0d8-1f5fe700-afb431db7b6a]
  [*10.0.0.1][][myWebAgent][/myApp/mypage/page][]
  [Redirecting to credential collector
  'https://myserver.mydomain.com/siteminderagent/login.fcc?
  TYPE=33554432&REALMOID=06-0005c689-312d-1ea8-b4c7-4a120a320000
  &GUID=&SMAUTHREASON=0&METHOD=POST
  &SMAGENTNAME=$SM$VGvDwGiX8cQ48Geay6UI7uJs76QlNT0bZnLfeUeLRGZgyfeNN2y2m%2bBWB3CnIcmy
  &TARGET=$SM$https%3A%2F%2Fmyserver.mydomain.com%2FmyApp%2Fmypage%2Fpage'.]

Can an expression like /rocfm/in.* be used and defined in
overlooksessionurls and is there any solution to update dynamic Ajax
pattern ?

Resolution

At first glance, if the Ajax application sends the request to
/myApp/mypage/page without sending a SMSESSION cookie along, this
issue is as expected.

OverlookSessionForUrls doesn't support wildcards (1).

To handle Ajax resource, the ACO parameter WebAppClientResponse for
which the resource value can include a wildcard (2).

Additional Information

(1)

    Webagent OverlookSessionForUrls ACO and wildcards usage

      A multi value parameter is accepted but this parameter does not
      accept wildcard. A complete URL should be defined.

    https://knowledge.broadcom.com/external/article?articleId=49214

(2)

    Web Application Client Response Introduced

      Use the WebAppClientResponse ACO parameter to implement the
      functionality of the web application client, while maintaining
      SiteMinder security.

      Resource

      Specifies the protected URI to which the web application client is
      making requests. If the URI of a request matches this value,
      SiteMinder identifies the request as originating from the web
      application client. The resource can contain a wildcard (*) for
      prefix and suffix matching.

      Default: No value: if this value is omitted, all resources that the
      Web Agent is protecting apply to the parameter.

      Value: Regular expressions are not supported.

      Example: Resource=/web20/dir/*
      Example: Resource=/web20/dir/*.xml

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/session-protection/apply-siteminder-behavior-to-a-web-application-client.html