Modification of server-relative URLs with junction mapping

Server-relative URLs generated on the client-side by applets and scripts initially lack knowledge of the junction point. WebSEAL cannot filter the URL because it is generated on the client-side. During a client request for a resource using this URL, WebSEAL can attempt to reprocess the server-relative URL using a junction mapping table. A junction mapping table maps specific target resources to junction names. Junction mapping is an alternative to the cookie-based solution for filtering dynamically generated server-relative URLs. WebSEAL checks the location information in the server-relative URL with the data contained in the junction mapping table. WebSEAL begins searching from the top of the table and continues downward through the table. If the path information in the URL matches any entry in the table during the top-down search, WebSEAL directs the request to the junction associated with that location. The table is an ASCII text file called jmt.conf. The name of this file is specified in the [junction] stanza of the WebSEAL configuration file:

jmt-map = jmt.conf

The format for data entry in the table consists of the junction name, a space, and the resource location pattern. We can also use wildcard characters to express the resource location pattern. In the following example of the junction mapping configuration file, two back-end servers are junctioned to WebSEAL at /jctA and /jctB:

#jmt.conf
#junction-name resource-location-pattern
/jctA /documents/release-notes.html
/jctA /travel/index.html
/jctB /accounts/*
/jctB /images/weather/*.jpg

We must create the jmt.conf mapping table. This file does not exist by default. After creating the file and adding data, use the jmt load command to load the data so that WebSEAL has knowledge of the new information.

pdadmin> server task server-name jmt load
JMT table successfully loaded.

Conditions:

• The junction mapping solution handles inbound requests intercepted by WebSEAL. Requests made using unfiltered absolute URLs that point to a server external to the WebSEAL environment (and therefore never intercepted by WebSEAL) are not handled by the junction mapping table solution.

• This solution does not require the -j option or junction cookie.

• The mapping table requires setup and activation by a security administrator.

• Resource location pattern matching must be unique across the local Web space and across junctioned Web application servers.

• If there is a duplicate pattern entry in the file, the mapping table does not load. However, WebSEAL continues to run.

• If there is an error loading the mapping table, the mapping table is not available. However, WebSEAL continues to run.

• If the mapping table is empty or there is an error in the table entries, the mapping table does not load. However, WebSEAL continues to run.

• Any errors that occur while loading the mapping table result in serviceability entries in the WebSEAL server log file (webseald.log).

• By default, WebSEAL modifies the names of non-domain cookies (returned in responses from back-end applications) across junctions listed in the junction mapping table. WebSEAL creates unique cookie names to prevent possible naming conflicts with cookies returned across other junctions. See Handling cookies from servers across multiple -j junctions.

See also Controlling server-relative URL processing in requests.

Parent topic: Modification of URLs in requests