Web Agent and IgnoreURL or realm usage to unprotect resource
search cancel

Web Agent and IgnoreURL or realm usage to unprotect resource


Article ID: 233687


Updated On:


SITEMINDER CA Single Sign On Agents (SiteMinder)



When running Web Agent and trying to unprotect some resources, some
questions might raise :

  1) Is using the IgnoreURL ACO an acceptable or best practice to
     allow certain web applications to web applications traffic to
     flow while still protecting the main front end web application
     via a default root protected policy /* ?

     If not, are unprotected realms better ?

  2) Is there a standard method of allowing web application to
     communicate with web application without traffic via a Web Agent
     or Siteminder authentication process at all?




1 - Ignoreurl is best practice to allow some url and not others. It
    avoids calls to the Policy Server which improves performances.

    There's some limitations as wildcards can't be used (1).

2 - To make trafic to completely avoid the Web Agent, let the Web
    Agent running on specific virtualhost and not on the others;

    Take note that using IgnoreURL, the trafic will be analyzed for
    vulnerabilities, and other security topics, even if no protection
    occurs on the URL (2).

    Some ACO parameters can be combined to get finer protection too


Additional Information



    Web Agent : in IgnoreURL ACO with "*" wildcard registration


    Web Agent :: IgnoreURL : BadCssChars BadURLChars


    Web Agent autoauthorize ignoreext, ignoreurl, overrideignoreextfilter