Skip to content
CA Single Sign-On - 12.52 SP1
Documentation powered by DocOps

Ignore Unprotected Resources

Last update November 28, 2018

You can improve the Web Agent performance by ignoring requests for resources that you do not want to protect. Consider the following configurations to improve performance:

Reduce Overhead by Ignoring File Extensions of Unprotected Resources

Reduce overhead by instructing the Web Agent to ignore requests for certain types of resources with the following parameter:

IgnoreExt

Specifies the types of resource requests that the Web Agent passes to the web server without checking access policies. The Web Agent allows access to the items with extensions specified by this parameter even if they exist in a realm that is protected by a policy.

You can configure Web Agent to ignore requests in the following conditions:

  • The resource ends in one of the extensions that you want to ignore
  • The URI of the protected resource contains a single period (.). 
    For example, if a URI for a requested resource is /my.dir/ the Web Agent passes the request directly to the web server.

Default: .class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc

By default, the Agent does not ignore requests for resources that contain two or more periods that are separated by a slash (/). Web Agents handle requests for resources using the process that is shown in the following example:

  1. The .gif extension is added to the IgnoreExt parameter. The Web Agent ignores requests for resources with the .gif extension.
  2. A request is made for the following URI:
    /dir1/app.pl/file1.gif,
  3. The Web Agent checks /dir1/app.pl/file1.gif against the configured policies because some web servers execute /dir1/app.pl as an application instead of serving the file1.gif resource.
    Granting access to /dir1/app.pl/file1.gif without consulting the web server can result in a security breach.

To reduce overhead, add the extensions to this parameter for the resources you want the Agent to ignore.

Important! Web Agent applies the IgnoreExt parameter to resources in a URL but not to parameter values. Consider this behavior when configuring the IgnoreExt setting.

Specify Virtual Servers for the Web Agent to Ignore

If a web server at your site supports several virtual servers, there may be resources on these virtual servers that you do not want to protect with the Web Agent. To simplify how the Web Agent distinguishes which portions of a web server's content it protects, use the following parameter:

IgnoreHost

Specifies the fully qualified domain names of any virtual servers that you want the web Agent to ignore. Resources on such virtual servers will be auto-authorized, and the Web Agent always grants access to them regardless of which client makes the request. The authorization decision is based on the configuration of the Web Agent instead of being based on a policy.

The list of ignored hosts is checked first before any other auto-authorization checks, such as the IgnoreExt and IgnoreURL settings. Therefore, the double-dot rule will not trigger an authorization call to the Policy Server for resources on an ignored host but would not be ignored by extension.

The host portion of the URL entries for the IgnoreHost parameter must exactly match what the Web Agent reads for the host header of the requested resource.

Note: This value is case-sensitive.

If the URL uses a specific port, then the port must specified.

For centrally-managed agents, use a multi-value parameter in the Agent Configuration Object to represent several servers. For agents configured with a local configuration file, list each host on a separate line in the file.

Example: (URL shown with port specified)

IgnoreHost="myserver.example.org:8080"

Example: (local configuration file)

IgnoreHost="my.host.com"

IgnoreHost="your.host.com"

Default: No default

To specify virtual servers for the Web Agent to Ignore, do either of the following tasks:

For central configuration, add the servers you want to ignore to your agent configuration object. For more than one server, use the multi-value setting for the parameter.

  • For local configuration, add a separate line for each server in the local configuration file.

Resources using the specified URLs are ignored by the Web Agent and access to those resources is granted automatically.

Ignore Query Data in a URL

The IgnoreQueryData parameter affects the way Web Agents treat URLs. Use this parameter to prevent Web Agent from caching the entire URL and sending the URIs with their query strings to the Policy Server for rule processing.

IgnoreQueryData

Specifies whether the Web Agent will cache the entire URL (including the query strings) and send the entire URI to the Policy Server for rule processing. A full URL string contains a URI, a hook (?), and some query data, as shown in the following example:

URI?query_data

URLs that have been the subjects of requests are cached by default. Subsequent requests search the cache for a match. If requests for the same URI contain different query data, the match fails. Ignoring the query data improves performance.

When the IgnoreQueryData parameter is set to yes, the following occurs:

  • The URL is truncated at the hook. Only the URI is cached and sent to the Policy Server. The query data is maintained elsewhere, for the purpose of maintaining the proper state for redirects.
  • Only the part before the hook is sent to the Policy Server for rule processing.
  • Both URIs in the following example are handled as the same resource:
    /myapp?data=1
    /myapp?data=2

When the IgnoreQueryData parameter is set to no, the following occurs:

  • The entire URL is cached.
  • The entire URI is sent to the Policy Server for rule processing.
  • The URIs in the following example are handled as different resources:
    /myapp?data=1
    /myapp?data=2

Default: No

To have the Web Agent send only URIs to the Policy Server for processing, set the value of the IgnoreQueryData parameter to yes.

Important! Do not enable this setting if you have policies which depend on URL query data.

Allow Unrestricted Access to URIs

If you do not want to protect a set of URIs, configure the IgnoreUrl parameter to direct Web Agent to ignore and allow unrestricted access to those URIs.

IgnoreUrl
Specifies a URI within a URL that must not be protected. Web Agent does not challenge the users who attempt to access the resource associated with the specified URI and allows access to the resource automatically. It also ignores the specified URI in a different domain or multiple URIs. The value is case-sensitive.

You can configure the parameter value in the following formats:

IgnoreUrl="http://fullyqualifieddomainname/uri_name"

OR
IgnoreUrl="/uri_name"


Example 1

http://www.example.com/directory

OR

/directory


Web Agent ignores the URI directory in the following sample URIs:

http://example.ca.com/directory
http://example.net1.com/directorydemo
http://example.org1.com/directory/
http://sample1.ca.com/directory

Allow Unrestricted Access to Specific URI Folder

To allow unrestricted access to a specific folder in a URI, configure the parameter in the following format:

IgnoreUrl="http://fullyqualifieddomainname/uri_name/"

OR

IgnoreUrl="/uri_name/"


Example 2

http://www.example.com/directory/

OR

/directory/

Consider the same sample URIs that are mentioned in Example 1, Web Agent ignores only the following URI and protects the rest of the URIs:

http://example.org1.com/directory/


For a central configuration, add the fully qualified domain names with the URIs that you want to ignore to your agent configuration object. For more than one URI, use the multivalue setting for the parameter. For local configuration, add a separate line for each fully qualified domain name and URI in the local configuration file.

Was this helpful?

Please log in to post comments.

  1. Axel Klüner
    2018-08-10 12:31

    You wrote: "Requests for resources that meet either of the following conditions may be ignored:". Did you mean: "Requests for resources that meet either of the following conditions WILL be ignored:" ?

    1. Gayatri Mothey
      2018-08-20 07:01

      Right, Axel. If IgnoreExt is configured, Agent ignores the requests that meet the conditions. We will update the content to clarify the sentence. Thank you for letting us know.

  2. Axel Klüner
    2018-08-10 12:38

    You wrote: "The Web Agent checks /dir1/app.pl/file1.gif against the configured policies because some web servers execute /dir1/app.pl as an application instead of serving the file1.gif resource."

    That´s not true. The resource is checked against the configured policies (why are the policies explicitly attributed as "configured" ? Are there "unconfigured" policies ? It's like "I saw a grey elephant.") because to quote yourself: "The URI of the protected resource contains more than a single period (.). "

    1. Gayatri Mothey
      2018-08-20 07:16

      Thank you for your question, Axel. The example explains how Agent behaves when it encounters a request with multiple periods. By default, Agent does not ignore requests that contains multiple periods, which are separated by a slash. If we want to ignore this case too, we must add the extensions to IgnoreExt. 

      Hope this clarifies your question, Axel. Happy to help if you need further information.