Junctions to Windows file systems
WebSEAL performs security checks on client requests to junctioned back-end servers based on the file paths specified in the URL. A compromise in this security check can occur because Win32 file systems allow two different methods for accessing long file names.
The first method acknowledges the entire file name. For example:
abcdefghijkl.txt
The second method recognizes the old 8.3 file name format for backward compatibility. For example:
abcdef~1.txt
When you create junctions in a Windows environments, it is important to restrict access control to one object representation only and not allow the possibility of "back doors" that bypass the security mechanism.
The -w option on a junction provides the following measures of protection:
- Prevents the use of the 8.3 file name format
When the junction is configured with the -w option, a user cannot avoid an explicit ACL on a long file name using the short (8.3) form of the file name. The server returns a "403 Forbidden" error on any short form file name entered.
- Disallows trailing dots in directory and file names
If a file or directory contains trailing dots, a 403 "Forbidden" error is returned.
- Enforces case-insensitivity by setting the -i option The -w option automatically invokes the -i option. This option specifies that WebSEAL treat URLs as case-insensitive when performing authorization checks on a request to a junctioned back-end server. After a successful ACL check, the original case of the URL is restored when the request is sent to the back-end server. If we require control over case-insensitivity only for file names, use only the -i option on the junction instead of the -w option.
The -w option is also supported on virtual host junctions.
- Example
- ACLs and POPs must attach to lower-case object names
When a junction is created with the -w or -i option, WebSEAL performs ACL and POP comparisons as not case-sensitive. This means the name of any object being evaluated for an ACL is placed into lowercase before WebSEAL checks it against the object list to which ACLs are attached.
Parent topic: Advanced junction configuration
Related concepts
- Mutually authenticated SSL junctions
- TCP and SSL proxy junctions
- WebSEAL-to-WebSEAL junctions over SSL
- Stateful junctions
- Use of /pkmslogout with virtual host junctions
- Junction throttling
- Management of cookies
- Passing of session cookies to junctioned portal servers
- Support for URLs as not case-sensitive
- Standard junctions to virtual hosts
- UTF-8 encoding for HTTP header data
- WebSockets
Related tasks