Forum Discussion
Right, I've tested this and it does indeed work.
To expand on the above, the application we are protecting uses REST API calls. A client, as part of its request, sends through an ID in the URL. The ID is unique to each client, and with potentially thousands of clients, must be dealt with using a wildcard.
However, there are other calls the client can make that also require sending the ID, but appended is another folder/service. For example:
Call 1 from client = [HOST]/account/
Call 2 from client = [HOST]/account//product
Not sure if this is possible but can we have it so that we can wildcard the first call, e.g. '/account/*' & thus take care of the unique IDs in the requests, but also ensure that should a client request anything past the 'product' service, get blocked? So for example a client requesting the following would be blocked:
[HOST]/account//product/someotherservice
Initial thoughts suggest no, this isn't possible because the wildcard (/account/*) would mean that literally anything past 'account' would be permitted. Just trying to understand the art of the possible here.
Thank you.
Hello Delvin,
I know that in your situation ASM is mandatory. But in some case you want just restrict URI Access. You just have to know that your Irule, (HTTP_REQUEST event ) is executed before ASM. So In addition to your ASM Policy you can create and assign an Irule to your service in order to restrict some URI:
Below a simple example. I could not test it.
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/account/" && ([string match "\/account\/[^\/]+" [HTTP::path]] || [string match "\/account\/[^\/]+\/product" [HTTP::path]]) } {
Pass
} else {
reject
}
}
Regards