This chapter explains how you can enable request parameter and header whitelisting by specifying which parameters sent from the client you want to make available for in-session rules to evaluate, trigger, and then, perform an action.
This chapter contains the following topics:
Enabling Passing of HTTP Request Parameters and Headers for Rules Evaluation
Using HTTP Request Parameters and Headers for Rules Evaluation
There are two ways data can be sent to the server. They are through:
request parameters
headers (you do not see them in the URL but as an HTTP header)
The request parameter is in the URL itself. You could put a ? and equal to this value. For example http(s)://hostname:port/index.html?param=value.
The header is an HTTP header and not part of the URL. The values are passed from the login page and no modifications are required. Users usually use headers because it is difficult to send information for each request and check whether the runtime has it or not. The usual method is to set data in the header and have OAAM pass that data to the rules.
Request parameters and header whitelisting aids security administrators because they do not want to accept all the parameters sent from the client side. Use the following properties to whitelist parameters so that the OAAM server accepts them and makes them available in the session (in the rules context). OAAM ignores parameters that do not match what is specified.
bharosa.uio.sessionData.populateExternalData.headers.enabled=false
This property specifies that you want to allow the acceptance of header information. By default it is set to false
bharosa.uio.sessionData.populateExternalData.headers.regex=<specify regex of header names>
This property enables you to specify the names of headers. You can use a regular expression if you think there are header names that have a pattern.
For example, if you want R1, R2, and R3 available, you could use R* as a regular expression.
bharosa.uio.sessionData.populateExternalData.headers.csv=<specify CSV names of headers>
This property enables you to specify a comma-separated list of names of the headers for OAAM to accept. Use this property if you do not have a pattern and you know the names of a few headers. For example, if you want to capture R1 and R2, you can use R1,R2 as CSV.
bharosa.uio.sessionData.populateExternalData.parameters.enabled=false
This property specifies when you want to allow the acceptance of request parameters. By default it is set to false.
bharosa.uio.sessionData.populateExternalData.parameters.regex=<specify regex of parameter names>
This property allows you to specify the names of the headers. You can use a regular expression if you think there are header names that have a pattern.
bharosa.uio.sessionData.populateExternalData.parameters.csv=<specify CSV names of request parameters>
This property enables you to specify a comma-separated list of names of request parameters for OAAM to accept. Use this property if you do not have a pattern and you know the names of a few request parameters. For example, if you want to capture R1 and R2, you can use R1,R2 as CSV.
You can create a rule with the condition, Session: Check String Parameter Value, and add it to a policy.