How does Webagent react to HTTP HEAD requests?

book

Article ID: 51288

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

How does Webagent react to HTTP HEAD requests and what structures get populated by Initialization?

Solution:

How the Webagent reacts to HTTP HEAD requests:

Agent initializes by calling the OnInitilization() method. The list of structures that get populated via this call are:
Bad URL data structures
Bad Query data structures
Cross-Site Scripting data structures
Ignore Extensions data structures
Cookie Provider URL if supplied
Logoff URI if supplied

After this is done, resource identification, OnProcessResource(), starts by extracting information from the HTTP request received by the agent (i.e. the web server with the agent plug-in loaded as per the WebAgent.conf file). Data fields that are checked here are:
Protocol (HTTP vs. HTTPS)
HTTP_HOST (gather server name and port)
URI (including query string)
METHOD
Client IP address
Identify multi-cookie domain query data and remove it from customer URLs.
Parse cookie data; set appropriate CSmPluginCtxt state as appropriate.
Identify SiteMinder Web Agent application URLs
FCC initialization and preprocessing
(Agent cookies SMCHALLENGE and SMONDENIEDREDIR are checked)

The Initialize() call populates the various structures including the web agent action structures. Only allowed actions are GET, PUT and POST. Any other action will result in an error being reported. The agent does not relinquish control. Now, this sort of transcends upon the methods allowed in the underlying web server. Web servers can be tuned to turn off HTTP TRACE action. When an HTTP HEAD request is sent to a web server then the web server must return only metainformation, such as content-length or content-type, back to the requester. No message body must be returned in the response.
On issuing an HTTP HEAD request for a protected resource a 302 redirect is generated by the web agent.

Environment

Release:
Component: SMIIS