Chapter 4. Configuration and customization 133
4.5.2 Creating a local type standard junction
One specific type of junction is a local type junction (-t local). It is a mount point
for specific content located locally on the WebSEAL server. Like the content from
junctioned remote servers, local junction content is incorporated into WebSEAL’s
unified protected object space view.
The following junction options are appropriate for local type junctions:
–t type Type of junction (local).
–d dir Local directory to junction. Required if the junction type is
local.
–f Force the replacement of an existing junction.
–l percent-value Defines the soft limit for consumption of worker threads.
–L percent-value Defines the hard limit for consumption of worker threads.
4.5.3 URL filtering
The challenges of URL filtering are specific to standard WebSEAL junctions. For
successful communication across standard junctions, WebSEAL must filter
absolute and server-relative URLs in HTML response documents returned from
the protected Web servers so that the URLs are correct when viewed as a part of
WebSEAL’s single host document space. The term
filtering is used to indicate
WebSEAL’s process of scanning Web documents (for absolute and
server-relative links) and modifying the links to include junction information. The
junction feature of WebSEAL changes the server and path information that must
be used to access resources on junctioned back-end systems. A link to a
resource on a back-end junctioned server can only succeed if the URL contains
the identity of the junction.
To support the standard junction feature and maintain the integrity of URLs,
WebSEAL must, where possible:
1. Modify the URLs (links) found in responses sent to clients
2. Modify requests for resources resulting from URLs (links) that WebSEAL
could not change
Figure 4-6 on page 134 summarizes the solutions available to WebSEAL for
modifying URLs to junctioned back-end resources.
134 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Figure 4-6 URL filtering solutions
Path types used in URLs
Any HTML page is likely to contain URLs (links) to other resources on that
back-end server or elsewhere. URL expressions can appear in the following
formats:
Relative
Server-relative
Absolute
Links containing URLs expressed in relative format never require any
modification by WebSEAL. By default, the browser handles relative URLs in links
by pre-appending the correct scheme (protocol), server name, and directory
information (including the junction) to the relative URL. The browser derives the
pre-appended information from the location information of the page on which the
link is located.
Links to back-end resources expressed in absolute or server-relative formats
succeed only if WebSEAL is able to modify the URL path expression to include
junction information. WebSEAL URL modification techniques apply to absolute
and server-relative URLs.
Options for modifying URLs in responses from junctioned back-end application
servers are the following:
Filtering tag-based static URLs
Script filtering for modifying absolute URLs
Filtering with configuring the rewrite-absolute-with-absolute option
Chapter 4. Configuration and customization 135
Filtering tag-based static URLs
WebSEAL uses a set of default rules to scan for (or filter) tag-based static URLs
contained in pages that are responses to client requests. This default filtering
mechanism examines static URLs located within tag-based content (such as
HTML or XML). An important requirement for this mechanism is that the URLs
must be visible to WebSEAL. For example, tag-based content filtering cannot
handle URLs that are dynamically generated on the client side.
Filter rules for server-relative URLs
WebSEAL must add the junction name to the path of server-relative URLs that
refer to resources located on junctioned servers. Server-relative URLs indicate a
URL position in relation to the document root of the junctioned server, for
example:
/dir/file.html
Server-relative URLs are modified by adding the junction point of the junctioned
server to the path name, for example:
/jct/dir/file.html
Filter rules for absolute URLs
WebSEAL must add the junction name to the path of absolute URLs that refer to
resources located on junctioned servers. Absolute URLs are modified according
to the following set of rules:
If the URL is HTTP and the host/port matches a TCP junctioned server, the
URL is modified to be server-relative to WebSEAL and reflect the junction
point. For example:
http://host-name[:port]/file.html
becomes:
/tcpjct/file.html
If the URL is HTTPS and the host/port matches an SSL junctioned server, the
URL is modified to be server-relative to WebSEAL and reflect the junction
point. For example:
https://host-name[:port]/file.html
becomes:
/ssljct/file.html
Modifying absolute URLs with script filtering
WebSEAL requires additional configuration to handle the processing of absolute
URLs embedded in scripts. Web scripting languages include JavaScript,
VBScript, ASP, JSP™, ActiveX, and others.
Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.
O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.
