IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
10.02.2013 Views
Share Embed Flag

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
publib.boulder.ibm.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

To<br />

solve<br />

this<br />

problem:<br />

1.<br />

Always<br />

write<br />

scripts<br />

that<br />

generate<br />

relative<br />

URL<br />

links.<br />

Avoid<br />

absolute<br />

and<br />

server-relative<br />

URL<br />

links.<br />

2.<br />

If<br />

you<br />

must<br />

use<br />

server-relative<br />

links,<br />

do<br />

not<br />

duplicate<br />

resource<br />

names<br />

and<br />

paths<br />

on<br />

both<br />

the<br />

<strong>WebSEAL</strong><br />

server<br />

and<br />

the<br />

junctioned<br />

application<br />

server.<br />

3.<br />

If<br />

you<br />

must<br />

use<br />

server-relative<br />

links,<br />

design<br />

your<br />

ACL<br />

model<br />

so<br />

that<br />

more<br />

prohibitive<br />

ACLs<br />

do<br />

not<br />

affect<br />

false<br />

resources<br />

specified<br />

by<br />

unfiltered<br />

URLs.<br />

Processing<br />

URLs<br />

in<br />

requests<br />

A<br />

difficulty<br />

arises<br />

when<br />

URLs<br />

are<br />

dynamically<br />

generated<br />

by<br />

client-side<br />

applications<br />

(applets)<br />

or<br />

embedded<br />

in<br />

scripts<br />

in<br />

the<br />

HTML<br />

code.<br />

Web<br />

scripting<br />

languages<br />

include<br />

Javascripts,<br />

VBscripts,<br />

ASP,<br />

JSP,<br />

ActiveX,<br />

and<br />

others.<br />

These<br />

applets<br />

and<br />

scripts<br />

execute<br />

as<br />

soon<br />

as<br />

the<br />

page<br />

has<br />

arrived<br />

at<br />

the<br />

client<br />

browser.<br />

<strong>WebSEAL</strong><br />

never<br />

has<br />

a<br />

chance<br />

to<br />

apply<br />

its<br />

standard<br />

filtering<br />

rules<br />

to<br />

these<br />

dynamically<br />

generated<br />

URLs.<br />

This<br />

section<br />

describes<br />

how<br />

<strong>WebSEAL</strong><br />

processes<br />

client-side<br />

dynamically<br />

generated<br />

server-relative<br />

links<br />

found<br />

in<br />

requests<br />

<strong>for</strong><br />

resources<br />

on<br />

junctioned<br />

back-end<br />

servers.<br />

v<br />

“Handling<br />

server-relative<br />

URLs<br />

with<br />

junction<br />

cookies<br />

(-j)”<br />

on<br />

page<br />

292<br />

v<br />

“Handling<br />

server-relative<br />

URLs<br />

with<br />

junction<br />

mapping”<br />

on<br />

page<br />

293<br />

v<br />

“Processing<br />

root<br />

junction<br />

requests”<br />

on<br />

page<br />

294<br />

Note:<br />

There<br />

are<br />

no<br />

solutions<br />

available<br />

<strong>for</strong><br />

handling<br />

absolute<br />

URLs<br />

generated<br />

on<br />

the<br />

client-side.<br />

Handling<br />

server-relative<br />

URLs<br />

with<br />

junction<br />

cookies<br />

(-j)<br />

Server-relative<br />

URLs<br />

generated<br />

on<br />

the<br />

client-side<br />

by<br />

applets<br />

and<br />

scripts<br />

initially<br />

lack<br />

knowledge<br />

of<br />

the<br />

junction<br />

point.<br />

<strong>WebSEAL</strong><br />

cannot<br />

filter<br />

the<br />

URL<br />

because<br />

it<br />

is<br />

generated<br />

on<br />

the<br />

client-side.<br />

During<br />

a<br />

client<br />

request<br />

<strong>for</strong><br />

a<br />

resource<br />

using<br />

this<br />

URL,<br />

<strong>WebSEAL</strong><br />

can<br />

attempt<br />

to<br />

reprocess<br />

the<br />

server-relative<br />

URL<br />

using<br />

junction<br />

cookies.<br />

In<br />

the<br />

following<br />

scenario,<br />

a<br />

script<br />

located<br />

on<br />

the<br />

requested<br />

page<br />

dynamically<br />

generates<br />

a<br />

server-relative<br />

URL<br />

expression<br />

upon<br />

arrival<br />

to<br />

the<br />

browser.<br />

If<br />

the<br />

client<br />

requests<br />

the<br />

resource<br />

specified<br />

by<br />

this<br />

link,<br />

<strong>WebSEAL</strong><br />

receives<br />

a<br />

request<br />

<strong>for</strong><br />

a<br />

local<br />

page.<br />

After<br />

failing<br />

to<br />

find<br />

the<br />

page,<br />

it<br />

returns<br />

a<br />

″Not<br />

Found″<br />

error<br />

to<br />

the<br />

client.<br />

The<br />

–j<br />

option<br />

provides<br />

a<br />

cookie-based<br />

solution<br />

<strong>for</strong><br />

handling<br />

server-relative<br />

URLs<br />

that<br />

are<br />

dynamically<br />

generated<br />

by<br />

a<br />

script<br />

that<br />

runs<br />

on<br />

the<br />

client<br />

machine.<br />

General<br />

syntax:<br />

pdadmin><br />

server<br />

task<br />

server-name<br />

create<br />

...<br />

-j<br />

...<br />

For<br />

each<br />

requested<br />

page,<br />

a<br />

″junction-identifier″<br />

cookie<br />

is<br />

sent<br />

to<br />

the<br />

client<br />

(as<br />

embedded<br />

Java<br />

script<br />

on<br />

the<br />

HTML<br />

page).<br />

The<br />

cookie<br />

contains<br />

the<br />

following<br />

header<br />

name<br />

and<br />

value:<br />

IV_JCT<br />

=<br />

/junction-name<br />

When<br />

the<br />

client<br />

makes<br />

a<br />

request<br />

from<br />

this<br />

page<br />

using<br />

a<br />

dynamically<br />

generated<br />

server-relative<br />

URL,<br />

<strong>WebSEAL</strong><br />

(as<br />

be<strong>for</strong>e)<br />

receives<br />

a<br />

request<br />

<strong>for</strong><br />

a<br />

local<br />

resource.<br />

When<br />

it<br />

fails<br />

to<br />

locate<br />

the<br />

resource,<br />

<strong>WebSEAL</strong><br />

immediately<br />

retries<br />

the<br />

request<br />

using<br />

the<br />

junction<br />

in<strong>for</strong>mation<br />

supplied<br />

by<br />

the<br />

cookie.<br />

With<br />

the<br />

correct<br />

junction<br />

in<strong>for</strong>mation<br />

in<br />

the<br />

URL<br />

expression,<br />

the<br />

resource<br />

is<br />

successfully<br />

located.<br />

292<br />

<strong>IBM</strong><br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

<strong>for</strong><br />

e-<strong>business</strong>:<br />

<strong>WebSEAL</strong><br />

<strong>Administration</strong><br />

Guide

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!