Forum Discussion

JustJozef's avatar
JustJozef
Icon for Cirrus rankCirrus
Aug 09, 2023

Case (in)sensitivity for JSON schema in ASM policy

Hi all,

I would like to know if follow behaviour is correct or it's bug.

I have ASM policy where JSON profiles are created from swagger file with JSON Schema Files. Global policy setting "Policy is Case Sensitive" is defined to "No".

However payload in requests is strictly checked and if in schema file is defined parameter "username" then request with parameter "Username" is not valid and is against security policy. It mean that Json Schema has higher priority than global settings of policy?

Part of the JSON schema:

"required":["password","username"]

Valid request with payload

{"username":"myuser","password":"mypass"}

Request what report violation "JSON data does not comply with JSON schema"

{"Username":"myuser","Password":"mypass"}

 In details it reports that parameter username is missing and Illegal additional property Username is defined.

devops
security

3 Replies

Sort By
    • JustJozef's avatar
      JustJozef
      Icon for Cirrus rankCirrus
      Aug 22, 2023

      Thanks for response Nikoolayy1 .

      I think that you point to the follow section:

      After a JSON schema is uploaded and selected, the Parse Parameters setting is disabled because the policy stops using any configured policy parameters and begins using the custom JSON parameters from the JSON schema file(s).

      I understood what you mean but JSON schema is still under policy which is case-insensitive. It's correct that parameters are taken from schema instead policy configuration but should global parameters (like case- (in)sensitive) be excluded as well?