Applies To:

Show Versions Show Versions

Manual Chapter: Working with Web Applications
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In the Application Security Manager, a web application is the logical representation of the application that you are protecting with a security policy. When you create an application security class, the system automatically creates a corresponding web application and default security policy for the web application.
Once you have created any application security classes, you can review the corresponding list of web applications within the application security configuration. The web applications list provides the following summary information:
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
4.
Click a logging profile to view or modify its properties. Note that you can modify only user-defined logging profiles.
In the Application Security Manager, the web application properties specify the general attributes and preferences for the web application itself. The web application properties help refine how the Application Security Manager processes requests for the web application. The web application properties include:
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click a web application name.
The Web Application Properties screen opens, where you can view and modify the web applications properties.
Every web application has a language encoding that determines the character set that browsers use to display the application. The Application Security Manager supports multi-byte language encodings. You must set the application language so that the Application Security Manager knows the acceptable character set for the application. The Application Security Manager uses the encoding associated with the selected language for security policy editing purposes. The Policy Enforcer also uses the language encoding for the web application when applying a security policy to a request.
Important: You must set the application language before you can see or work with any of the other web application properties, or configure security policies for the web application. Note that once you set the web application language, you cannot change it.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click a web application name.
The Web Application Properties screen opens.
3.
In the Web Application Properties section, from the Application Language list, select the character set encoding that is appropriate for your web application.
4.
Click Update.
The screen refreshes, and you see the web application properties.
The active security policy is the security policy that the Application Security Manager uses to validate requests for, and responses from, the web application. Only one security policy can be active at a time, even though you may have several security policies configured for the web application.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click a web application name.
The Web Application Properties screen opens.
3.
In the Web Application Properties area, from the Active Security Policy list, select the security policy that you want to be the active security policy for the web application. Note that the system automatically enables (checks) the Apply Policy setting when you change the Active Security Policy setting on this screen.
4.
Click Update.
The screen refreshes, and in the Active Security Policy list, you see [A] next to the new active security policy.
Important: You can set the active security policy from most screens in the Configuration utility, in addition to setting it from the Web Application Properties screen, as described above. For more information, see Setting the active policy for a web application.
The logging profile determines whether the system logs every request for a web application, logs only those requests that violate the active security policy, or does not log any requests. The logging profile also specifies whether the requests data is stored locally or remotely. You can use a system-supplied logging profile, or you can create a user-defined logging profile. Refer to Configuring logging profiles for web application data, for more information.
Tip: If your web application receives a high volume of requests, you may want to log only those requests that violate the active security policy so that the system resources are not overburdened.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click a web application name.
The Web Application Properties screen opens.
3.
In the Web Application Properties area, for the Logging Profile setting, select one of the following options:
Log all requests: Select this option if you want the system to log every request for this web application.
Log illegal requests: Select this option if you want the system to log only requests which trigger a violation according to the currently-active security policy.
No logging: Select this option if you do not want the system to log any requests for this web application.
4.
Click Update.
The system updates the configuration with any changes you may have made.
When a web application uses dynamic sessions in URLs, the Application Security Manager cannot use its normal functions to extract and enforce objects or flows because the URI contains a dynamic element. If the web application that you are securing stores dynamic session information in a URL, you can enable the Dynamic Sessions in URL option. When the system receives a request (or response) in which the dynamic session information does not match the settings for the web application, the Policy Enforcer issues the Illegal session ID in URL violation.
When you enable the Dynamic Sessions in URL option, the Application Security Manager extracts the dynamic session information from requests or responses, based on the pattern that you configure. For requests, the Policy Enforcer applies the pattern to the URI up to, but not including the question mark (?) character of a query string. For responses, the Policy Enforcer applies the pattern to the URI and the body text.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click a web application name.
The Web Application Properties screen opens.
3.
In the Web Application Properties section, for the Dynamic Sessions in URL option, enable or disable the dynamic sessions in URL as required by the web application. For help with the settings, click the Help tab in the navigation pane.
4.
Click Update.
The system updates the configuration with any changes you have made.
There may be circumstances when you want to remove all security policies, requests, logging, and configuration information from a web application, and set the web application back to a new, non-configured state. You can do this by using the Reconfigure button on the Web Application Properties screen.
Important: Using the Reconfigure button to clear the configuration information for a web application is a permanent action, and cannot be undone. Use this setting with caution.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Name column, click a web application name.
The Web Application Properties screen opens.
3.
Above the Web Application Properties area, click the Reconfigure button.
A confirmation popup screen opens.
4.
Click OK to complete the reset action.
The system deletes all data associated with this web application from the configuration.
A web application group is a collection of web applications within the Application Security Manager configuration. Web application groups are made up of two or more web applications. A web application can belong to more than one web application group, however, a web application does not have to belong to a web application group. The Application Security Manager lists web applications that are not members of any web application group in the ungrouped area of the Web Application Groups screen. Recall that there is a one-to-one relationship between application security classes and web applications. In many cases, you may have several application security classes (and thus, web applications) configured for one actual web-based application. You can create a web application group, and then use that group to consolidate the requests, events, and log information about the actual web application.
When you create a web application group, you are creating an association between the member web applications. Once you have created a web application group, you can view statistics, logging, and security events in the context of the web application group, in addition to the individual web applications themselves.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
On the menu bar, click Web Application Groups.
The Web Application Groups screen opens.
3.
Click the Create button.
The Group Properties screen opens.
4.
In the Name box, type a name for the group.
5.
For the Web Applications setting, from the Available list, select the web applications that you want to add to the new web application group, and use the Move (<<) button to add them to the Members list.
6.
Click Save to update the configuration with the new web application group.
If you no longer require the web application group, you can easily remove the group from the configuration. Note that this action does not delete the web applications themselves.
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
On the menu bar, click Web Application Groups.
The Web Application Groups screen opens.
3.
Check the Select box next to the web application group that you want to delete, and then click Delete.
A confirmation popup screen opens.
4.
Click OK.
The system deletes the web application group.
There are two situations in which the Application Security Manager automatically disables web applications. These situations occur when you:
Disable the Application Security setting on an application security class
The system disables the web application because a web application must have a corresponding application security class.
When the system disables a web application, it moves the web application state from enabled to disabled. You can review the web application state on the Web Applications screen
1.
On the Main tab of the Application Security navigation pane, click Web Applications.
The Web Applications screen opens.
2.
In the Web Applications area, in the State column, you can see which web applications are enabled and which web applications are disabled.
You can re-enable a disabled web application either by creating an application security class with the same name as the disabled web application, or by re-enabling the Application Security setting for an existing application security class. In both cases, the system automatically re-enables the disabled web application, as long as the application security class has the same name, exactly, as the disabled web application.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)