Bypassing buffering on a per-resource basis

WebSEAL uses an internal buffer when processing data sent in requests to WebSEAL and responses from junction applications.

This buffering typically provides performance improvement. For certain applications that send or return small amounts of data, the buffering can cause the data to be held temporarily at WebSEAL while the buffer is being filled. For some applications, it might be preferable to bypass the buffering and stream the data directly to the junctioned server or to the clients. This scheme is not efficient for general web traffic; apply it only to particular resources that require streamed data. For example, apply it to junctions configured for RPC over HTTP communication. See Microsoft RPC over HTTP.

We can apply a protected object policy (POP) to individual resources that directs WebSEAL to bypass buffering for those resources. To bypass buffering for a particular resource response, attach a POP to the resource with an attribute named response-buffer-control set with the value bypass. To bypass buffering for a particular resource request, attach a POP to the resource with an attribute named request-buffer-control set with the value bypass.

The following example

• Creates a POP named bypassPOP.

• Sets the response-buffer-control and request-buffer-control attributes to bypass.
• Attaches the POP to a resource named smallCGI

Steps

1. Create a POP named bypassPOP with the appropriate attributes.

   pdadmin> pop create bypassPOP
   pdadmin> pop modify bypassPOP set attribute response-buffer-control bypass
   pdadmin> pop modify bypassPOP set attribute request-buffer-control bypass

2. Attach the POP to the chosen resource.

   pdadmin> pop attach /WebSEAL/myinstance/myjunction/cgi-bin/smallCGI bypassPOP

   This POP only affects the data in the body of the request or response that is received from the client or junction. WebSEAL still buffers the request and response headers.

   When buffering HTTP requests using this POP technique, there are limitations. Certain WebSEAL functions require the entire request body, and this body is not available when streaming a request to a junctioned server.

   The following WebSEAL functionality cannot be used when using request streaming: WebSEAL response streaming can still be applied to resources that use this WebSEAL functionality.

   • Caching of POST data during the authentication process.
   • Dynamic authorization decision information (dynADI) when POST data is part of the decision evaluation.
   • Dynamic URLs (dynURL) when POST data is part of the decision evaluation.

Parent topic: Advanced junction configuration

Related concepts

• Mutually authenticated SSL junctions
• TCP and SSL proxy junctions
• WebSEAL-to-WebSEAL junctions over SSL
• Stateful junctions
• Use of /pkmslogout with virtual host junctions
• Junction throttling
• Management of cookies
• Passing of session cookies to junctioned portal servers
• Support for URLs as not case-sensitive
• Junctions to Windows file systems
• Standard junctions to virtual hosts
• UTF-8 encoding for HTTP header data
• WebSockets

Related tasks

• Forcing a new junction