Forum Discussion
ASM Wildcard in the middle of the URL
Right, I've tested this and it does indeed work.
To expand on the above, the application we are protecting uses REST API calls. A client, as part of its request, sends through an ID in the URL. The ID is unique to each client, and with potentially thousands of clients, must be dealt with using a wildcard.
However, there are other calls the client can make that also require sending the ID, but appended is another folder/service. For example:
Call 1 from client = [HOST]/account/
Call 2 from client = [HOST]/account//product
Not sure if this is possible but can we have it so that we can wildcard the first call, e.g. '/account/*' & thus take care of the unique IDs in the requests, but also ensure that should a client request anything past the 'product' service, get blocked? So for example a client requesting the following would be blocked:
[HOST]/account//product/someotherservice
Initial thoughts suggest no, this isn't possible because the wildcard (/account/*) would mean that literally anything past 'account' would be permitted. Just trying to understand the art of the possible here.
Thank you.
- youssef1Jan 19, 2018Cumulonimbus
Hello,
if it is just URI restrion I advise you to do this by IRULE. you do not need to do this operation on the ASM. If so, I can provide you the IRULE that will answer your needs.
Regards
- Jan 20, 2018
Thanks youssef
That is potentially an interesting idea. Let me first state that this is not just about restricting access to URLs. ASM is mandatory and is required for lots of other things. If an iRule can be crafted to help us achieve the above in addition to ASM then I’d be glad to hear how that could work?
Thanks
- youssef1Jan 22, 2018Cumulonimbus
Hello Delvin,
I know that in your situation ASM is mandatory. But in some case you want just restrict URI Access. You just have to know that your Irule, (HTTP_REQUEST event ) is executed before ASM. So In addition to your ASM Policy you can create and assign an Irule to your service in order to restrict some URI:
Below a simple example. I could not test it.
when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/account/" && ([string match "\/account\/[^\/]+" [HTTP::path]] || [string match "\/account\/[^\/]+\/product" [HTTP::path]]) } { Pass } else { reject } }
Regards
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com