Routing requests stored as a context variable does not use the original request HTTP method
search cancel

Routing requests stored as a context variable does not use the original request HTTP method

book

Article ID: 42932

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The most common implementation of HTTP(S) routing in the CA API Gateway involves transmitting the original request to a protected service behind the Gateway. It may be necessary to route a request message that is different from the original request message. The Gateway is capable of routing a request using a specific message body that is set within a context variable. This can allow an administrator or policy author to create a new request or modify an existing request in a context variable and execute the routing assertion using that new Message variable.

This functionality only sets the message body and it does not set any other HTTP options. This can cause the Gateway to use an unexpected HTTP method if the HTTP method is not explicitly set in the Route via HTTP(S) assertion. The Gateway will assume that any HTTP request using a body set from a context will contain data to transmit. If a message body contains data to transmit then the Gateway would need to use an HTTP method that supports message bodies. As such, the Gateway will always automatically use the?POST method?when routing a request using a message body specified in a context variable. This article will prescribe the steps necessary to prevent this automatic method usage.

Presentation

Routing a request stored as a context variable without explicitly specifying an HTTP method will result in the following audit detail or?log entry, respectively:

INFO 4047 Request is a context variable; using POST
INFO 138703 com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion: 4047: Request is a context variable; using POST

The presence of this audit detail or log entry indicates that the Gateway is routing a request using a message body set as a context variable but has no explicit HTTP method set.

Resolution

The automated behavior can be avoided by explicitly specifying the HTTP method used in the Route via HTTP(S) assertion. The HTTP method to use in the routing assertion can be set from a static list such as GET, POST, or PUT.?Version 8.2.00 and later have the capability to set the HTTP method from a context variable. This can allow the use of custom HTTP methods or setting the HTTP method via policy logic. The original request HTTP method can be captured via the?request.http.method?context variable.

The screen captures below illustrate?a routing assertion that uses a context variable for the request source and forcefully sets the HTTP method via the static list or via a context variable.

Route via HTTP(S) with request source from variable and static HTTP MethodRoute via HTTP(S) with request source?and?HTTP method from context variables

<Please see attached file for image>

A screen capture of the HTTP(S) Routing Properties dialog using a context variable as request source and a specific HTTP method

<Please see attached file for image>

A screen capture of the HTTP(S) Routing Properties dialog setting the request source and HTTP method via variables

Environment

Release:
Component: APIGTW

Attachments

1558722959390000042932_sktwi1f5rjvs16wo4.jpeg get_app
1558722957192000042932_sktwi1f5rjvs16wo3.jpeg get_app
Powered by Wolken Software