Forum Discussion

Devlin_T_149357's avatar
Jan 17, 2018

ASM Wildcard in the middle of the URL

Hello everyone

 

Does anyone know if it is possible to have a wildcard in the middle of a URL when building an ASM policy? For example, can we do this:

 

/pathto/*/resource

 

?

 

Thank you.

 

  • Right, I've tested this and it does indeed work.

     

    To expand on the above, the application we are protecting uses REST API calls. A client, as part of its request, sends through an ID in the URL. The ID is unique to each client, and with potentially thousands of clients, must be dealt with using a wildcard.

     

    However, there are other calls the client can make that also require sending the ID, but appended is another folder/service. For example:

     

    Call 1 from client = [HOST]/account/

     

    Call 2 from client = [HOST]/account//product

     

    Not sure if this is possible but can we have it so that we can wildcard the first call, e.g. '/account/*' & thus take care of the unique IDs in the requests, but also ensure that should a client request anything past the 'product' service, get blocked? So for example a client requesting the following would be blocked:

     

    [HOST]/account//product/someotherservice

     

    Initial thoughts suggest no, this isn't possible because the wildcard (/account/*) would mean that literally anything past 'account' would be permitted. Just trying to understand the art of the possible here.

     

    Thank you.

     

    • youssef1's avatar
      youssef1
      Icon for Cumulonimbus rankCumulonimbus

      Hello,

       

      if it is just URI restrion I advise you to do this by IRULE. you do not need to do this operation on the ASM. If so, I can provide you the IRULE that will answer your needs.

       

      Regards

       

    • Devlin_T_149357's avatar
      Devlin_T_149357

      Thanks youssef

       

      That is potentially an interesting idea. Let me first state that this is not just about restricting access to URLs. ASM is mandatory and is required for lots of other things. If an iRule can be crafted to help us achieve the above in addition to ASM then I’d be glad to hear how that could work?

       

      Thanks

       

    • youssef1's avatar
      youssef1
      Icon for Cumulonimbus rankCumulonimbus

      Hello Delvin,

      I know that in your situation ASM is mandatory. But in some case you want just restrict URI Access. You just have to know that your Irule, (HTTP_REQUEST event ) is executed before ASM. So In addition to your ASM Policy you can create and assign an Irule to your service in order to restrict some URI:

      Below a simple example. I could not test it.

      when HTTP_REQUEST { 
      if { ([HTTP::uri] starts_with "/account/" && ([string match "\/account\/[^\/]+" [HTTP::path]] || [string match "\/account\/[^\/]+\/product" [HTTP::path]]) } {
           Pass
      } else {
          reject
      }
      }
      

      Regards