Configuring the Not-Enforced URL List (Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0)

Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0

Configuring the Not-Enforced URL List

The not-enforced URL list defines the resources that should not have any policies (neither allow nor deny) associated with them.

By default, the web agent denies access to all resources on the deployment container that it protects. However, various resources (such as a web site or an application) available through a deployment container might not need to have any policy enforced. Common examples of such resources include the HTML pages and .gif images found in the home pages of web sites and the cascading style sheets (CSS) that apply to these home pages. The user should be able to browse such pages without authenticating. For the home page example, all these resources need to be on the not-enforced URL list or the page will not be displayed properly. The property com.sun.am.policy.agents.config.notenforced_list is used for this purpose. Wild cards can be used to define a pattern of URLs. Space is the separator between the URLs mentioned in the list.

There can be a reverse, or “inverted”, scenario when all the resources on the deployment container, except a list of URLs, are open to any user. In that case, the property com.sun.am.policy.agents.config.notenforced_list.invert would be used to reverse the meaning of com.sun.am.policy.agents.config.notenforced_list. If it is set to true (by default it is set to false), then the not-enforced URL list would become the enforced list.

Example 6–2 Configuration Property Settings for Not-Enforced URL List

The following are examples:

Scenario 1: Not-Enforced URL List

com.sun.am.policy.agents.config.notenforced_list.invert = false

com.sun.am.policy.agents.config.notenforced_list = 
http://host1.example.com:80/welcome.html
http://host1.example.com:80/banner.html

In this case, authentication and policies will not be enforced on the two URLs listed in the notenforcedList. All other resources will be protected by the web agent.

Scenario 2: Inverted Not-Enforced URL List

com.sun.am.policy.agents.config.notenforced_list.invert = true

com.sun.am.policy.agents.config.notenforced_list =
 http://host1.example.com:80/welcome.html
 http://host1.example.com:80/banner.html

In this case, authentication and policies will be enforced by the web agent on the two URLs mentioned in the notenforcedList. All other resources will be accessible to any user.

Caution –

If feasible, keep this property set to false as such:

com.sun.am.policy.agents.config.notenforced_list.invert = false

A value of false reduces the chance of unintentionally allowing access to resources.