Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Application Security Management: 7 - Working With Parameters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


7

Working With Parameters


Understanding parameters

Parameters are an integral entity in any web application. When you define parameters in a security policy, you are tightening the security for the web application. Application Security Manager evaluates defined parameters, meta characters, query string lengths, and POST data lengths as part of a positive security logic check. The system evaluates < parameters as part of a negative security logic check. The Policy Enforcer verifies parameters in the context of a security policy, not a web application. In other words, any parameters that you configure in a security policy are enforced only by that security policy.

You can define parameters as global parameters, web object parameters, and flow parameters. For information on configuring global parameters, see Working with global parameters . For information on configuring web object parameters, see Working with web object parameters . For information on configuring flow parameters, see Working with flow parameters .

There are several types of parameters that you can configure: static content, dynamic content, dynamic name, and user-input. You can also configure parameters for which the system does not check or verify the value. With the exception of dynamic parameter names, you can configure a global, object, or flow parameter as any parameter type. The dynamic parameter name type is applicable only to flow parameters. Refer to Understanding parameter types for more information.

Understanding how the Policy Enforcer processes parameters

The Policy Enforcer uses the following priority when enforcing parameters:

  • Flow parameters
  • Object parameters
  • Global parameters

If a parameter is defined more than once in the request context, the Policy Enforcer applies only the more specific definition. For example, the parameter param_1 is defined as a static content global parameter, and also defined as a user-input object parameter. When the Application Security Manager receives a request for the parameter's object, the Policy Enforcer generates any violations based on the object parameter definition, not the global parameter definition.

Working with global parameters

When a web application has a parameter that you do not want to define in the context of a web object or a flow, you can define a global parameter. Global parameters are those that do not have an association with a specific web object or application flow. Therefore, you can configure a global parameter once, and the Policy Enforcer enforces the parameter wherever it occurs. Typically, you define parameters as part of a high security (APC) security policy. However, because global parameters are not associated with a web object or flow, you can define them when you are using the standard level of security for a security policy. For more information on security levels, see Configuring the security level .

Creating a global parameter

You create a global parameter to address the following conditions:

  • The web application has a parameter that appears in several web objects or flows.
  • You are configuring a security policy that uses the standard level of security, and you want the Application Security Manager to enforce a specific set of parameters. (Recall that a standard security policy does not enforce web objects or flows. See Configuring the security level , for more information.)

To create a global parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are creating a global parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the global parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Global Parameters.
    The Global Parameters screen opens.
  5. Above the List of Global Parameters area, click the Create button.
    The Global Parameter Properties screen opens.
  6. In the Create New Parameter area, fill in the information as required.
  7. In the Parameter Characteristics area, fill in the information as required. Note that the parameter type determines the parameter characteristics. See Configuring parameter characteristics , for more information.
  8. Click the Create button to add the new global parameter to the security policy.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Editing the properties of a global parameter

There may be times when you need to update the characteristics of a global parameter. This is easily done by editing the parameter properties.

To edit a global parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are creating a global parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the global parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Global Parameters.
    The Global Parameters screen opens.
  5. In the List of Global Parameters area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
    The Global Parameter Properties screen opens.
  6. Make any changes to the parameter properties, as required.
  7. When you have finished, click Update.
    The system saves any changes you may have made, and returns you to the Global Properties screen.

Deleting a global parameter

Web applications can change over time, and there may be occasions when you need to delete a global parameter.

To delete a global parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are creating a global parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the global parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Global Parameters.
    The Global Parameters screen opens.
  5. In the List of Global Parameters area, in the Select column (far left), check the box next to the parameter that you want to remove, and then click the Delete button.
    The system displays a popup confirmation screen.
  6. Click OK.
    The system deletes the parameter.

Working with web object parameters

You define parameters in the context of a web object when a parameter is relevant to that particular object, and you do not want the system to also verify the object's associated flows. That is, you define a web object parameter when it does not matter where the user was before they access this web object, and when it does not matter whether the parameter was in a GET or POST request. When you define a web object parameter, the Policy Enforcer applies the security policy to the parameter attributes in the context of the associated web object, and ignores the flow information.

Creating a web object parameter

When you create a parameter that is associated with a web object, the Policy Enforcer verifies the parameter in the context of the web object. For example, for the login parameters for an online bank, you may want to provide additional security for the user name and user password in the login object by specifying the acceptable user-input characters, such as making the acceptable character set as A-Z, a-z, 0-9, and $, #, !, _, -.

Important

The following task assumes that the web object for which you want to create a parameter is already configured in the security policy. If this is not the case, refer to Working with the Web Objects entity , for information on adding a web object to the configuration.

To create a parameter associated with a web object

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are creating a web object parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the web object parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Web Objects.
    The Web Objects screen opens.
  5. In the Web Application Objects (Site Map) area, in the Accessible Objects List column, click the name of the web object for which you want to create a parameter.
    The Object Properties screen opens.
  6. Above the List of Object Parameters area, click the Create button.
    The Object Parameter Properties screen opens.
  7. In the Create New Parameter area, fill in the information as required.
  8. In the Parameter Characteristics area, fill in the information as required. Note that the parameter type determines the parameter characteristics. See Configuring parameter characteristics , for more information.
  9. Click the Create button to add the new parameter to the security policy.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Editing the properties of a web object parameter

There may be times when you need to update the characteristics of a web object parameter. This is easily done by editing the parameter properties.

To edit the properties of a web object parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are editing a web object parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the web object parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Web Objects.
    The Web Objects screen opens.
  5. In the Web Application Objects (Site Map) area, in the Accessible Objects List column, click the name of the web object with which the parameter is associated.
    The Object Properties screen opens.
  6. In the List of Object Parameters area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
    The Object Parameter Properties screen opens.
  7. Make any changes to the parameter properties, as required.
  8. When you have finished, click Update.
    The system saves any changes you may have made, and returns you to the Object Properties screen.

Deleting a web object parameter

Web applications can change over time, and there may be occasions when you need to delete a parameter from a web object.

To delete a parameter from a web object

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are deleting a web object parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that enforces the web object parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Web Objects.
    The Web Objects screen opens.
  5. In the Web Application Objects (Site Map) area, in the Accessible Objects List column, click the name of the web object with which the parameter is associated.
    The Object Properties screen opens.
  6. In the List of Object Parameters area, in the Select column (far left), check the box next to the parameter that you want to remove from the web object, and then click the Delete button.
    The system displays a popup confirmation screen.
  7. Click OK.
    The system deletes the parameter.

Working with flow parameters

You define parameters in the context of a flow when it is important to enforce whether a parameter is in a GET request or a POST request. Defining a parameter in the context of a flow is the most specific context, and thus provides the tightest security for the web application.

Note

The Policy Builder defines all parameters as flow parameters, that is, parameters in the context of a flow.

Creating a flow parameter

When you create a parameter that is associated with a flow, the Policy Enforcer verifies the parameter in the context of the flow. For example, if you define a parameter in the context of a GET request, and a client sends a POST request that contains the parameter, the Policy Enforcer generates an illegal parameter violation.

For APC security policies, you can define flow parameters for very tight, flow-specific security. With this increased protection comes an increase in maintenance and configuration time. However, you can use the Policy Builder to expedite the security policy-building process for user-input and static parameters. Note that if your web application uses dynamic parameters, you manually add those to the security policy.

Important

The following task assumes that the flow for which you want to create a parameter is already configured in the security policy. If this is not the case, refer to Working with the Flows entity , for information on adding a flow to the configuration.

To create a parameter associated with an application flow

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the relevant web application.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the flow parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Flows.
    The Flows screen opens.
  5. In the Flows List area, click the Expand button to view the flows.
  6. In the Flows List, click the name of the flow to which you want to add a parameter.
    The Flow Properties screen opens.
  7. Above the List of Flow Parameters area, click the Create button.
    The Flow Parameter Properties screen opens.
  8. In the Create New Parameter area, fill in the information as required.
  9. In the Parameter Characteristics area, fill in the information as required. Note that the parameter type determines the applicable parameter characteristics. See Configuring parameter characteristics , for more information.
  10. Click the Create button to add the new parameter to the security policy.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Editing the properties of a flow parameter

There may be times when you need to update the characteristics of a flow parameter. This is easily done by editing the parameter properties.

To edit the properties of a flow parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are editing a flow parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the flow parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Flows.
    The Flows screen opens.
  5. In the Flows list area, click the Expand button to view the flows.
  6. In the Flows List, click the name of the flow with which the parameter is associated.
    The Flow Properties screen opens.
  7. In the List of Flow Parameters area, in the Parameter Name column, click the name of the parameter whose properties you want to edit.
    The Flow Parameter Properties screen opens.
  8. Make any changes to the parameter properties, as required.
  9. When you have finished, click Update.
    The system saves any changes you may have made, and returns you to the Flow Properties screen.

Deleting a flow parameter

Web applications can change over time, and there may be occasions when you need to delete a parameter from a flow.

To delete a parameter from a flow

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are deleting a flow parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that enforces the flow parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Flows.
    The Flows screen opens.
  5. In the Flows List area, click the Expand button to view the flows.
  6. In the Flows List, click the name of the flow with which the parameter is associated.
    The Flow Properties screen opens.
  7. In the List of Flow Parameters area, in the Select column (far left), check the box next to the parameter that you want to remove from the flow, and then click the Remove button.
    The system displays a popup confirmation screen.
  8. Click OK.
    The system deletes the parameter.

Configuring parameter characteristics

Parameter characteristics define the individual attributes of the parameter. The parameter characteristics change depending on the type of parameter that you specify.

Understanding parameter types

When you add a parameter to the security policy, you specify the parameter type. The Policy Enforcer then knows in what form to expect the parameter value, and applies the security policy accordingly. You can configure global parameters, web object parameters, and flow parameters as any parameter type, with the exception of the dynamic parameter name type. You can configure only flow parameters as this type.

The parameter types are:

  • Static content value
    Static parameters are those that have a known set of values. A list of country names, or a yes/no form field are both examples of static parameters. For information on configuring static parameters, see Configuring parameter characteristics for static parameters .
  • User-input value
    User-input parameters are those that require users to enter or provide some sort of data. Comment, name, and phone number fields on an online form are all examples of user-input parameters. You can also configure user-input parameters even if the parameter is not really user input. For example, if a parameter has a wide range for values, or has many static values, you may want to configure the parameter as a user-input parameter instead of a static content parameter. For information on configuring user-input parameters, see Configuring parameter characteristics for user-input parameters .
  • Dynamic content value
    Dynamic parameters are those whose set of values can change, and are often linked to a user session. The server sets the value for dynamic content value (DCV) parameters. DCV parameters are often associated with applications that use session IDs for client sessions. For information on configuring DCV parameters, see Configuring dynamic content value parameters .
  • Dynamic parameter name
    Some dynamic parameters have dynamic names as well as dynamic values. If you want the Policy Enforcer to enforce dynamic names as well as dynamic values, then you can use this parameter type. For information on configuring dynamic parameter names, see Configuring parameter characteristics for dynamic parameter names .

A note about configuring parameters

Configuring parameters for a web application can be a lengthy and arduous task. While you can do this manually, as explained throughout the remainder of this chapter, you can also use the Policy Builder and the Learning process to help you discover the parameters and values that are part of your web application.

Configuring parameter characteristics for static parameters

Static parameters are parameters whose possible values is a known set. For example, the credit card type parameter, for payment in a shopping application, may have the value set of Mastercard®, Visa®, and American Express®. When you configure the static parameter characteristics, you are basically creating the value set for the parameter.

To configure static parameter characteristics

  1. Create a new parameter.
  2. For the Parameter Type setting, select Static content value.
    The screen refreshes and displays the Parameter Static Values area.
  3. In the Parameter Static Values area, for the New Static Content Value setting, type the new value in the Add box.
  4. Click the Add button to add the value to the values list.
  5. Repeat steps 3 and 4 to add all the values that this parameter requires.
  6. Click the Create button to save the parameter in the configuration.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Configuring parameter characteristics for user-input parameters

User-input parameters are those for which a user can provide a value. For user-input parameters, you can configure the Application Security Manager to verify minimum and maximum values, minimum and maximum lengths, and valid meta characters. The system can also check for attack patterns within the text.

User-input parameters can accept many different data types. The data types are: alpha-numeric, binary, decimal, email, integer, and phone. Depending on the data type that you configure, there are additional options that the Policy Enforcer can verify, as noted in the following sections.

Tip


You can configure any parameter as a user-input parameter if you want the system to apply a broader verification to the parameter values.

Configuring an alpha-numeric user-input parameter

The alpha-numeric data type specifies that the parameter value can have letters, integers, and the underscore character in it. For this data type, you can specify a maximum length, and you can define the acceptable parameter values as a regular expression. You can also specify one or more meta characters (in addition to the base character set of a-z, A-Z, 0-9), and one or more regular expressions (which represent common attack patterns), that are acceptable within the context of the parameter.

Note

If you enable regular expressions for an alpha-numeric parameter, the system may automatically enable certain meta characters (in the Allowed Meta Characters list) that are part of the regular expressions, even if you have not explicitly enabled meta characters for the parameter.

To configure an alpha-numeric user-input parameter

  1. Create a new parameter.
  2. For the Parameter Type setting, select User-input value.
    The screen refreshes and displays the Parameter Characteristics area.
  3. In the Parameter Characteristics area, for the Data Type setting, select Alpha-Numeric.
  4. If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
  5. If you want the Policy Enforcer to enforce the parameter value using pattern matching, check the Regular Expression box, and type a regular expression. Note that when you enable this setting, the only values that are acceptable for the parameter are those that exactly match the regular expression pattern that you provide. All other values are considered illegal in the context of this parameter.
  6. If you want to make certain meta characters valid as part of the parameter value, check the Enable Allowed Meta Characters List box.
    The screen refreshes, and displays the meta character set.
  7. Check the box next to any meta characters in the list that are acceptable in the context of the parameter value. Note that the possible meta character options change depending on the language encoding of the web application. (For more information, see Configuring the web application language .)
  8. If you want to make certain known attack patterns valid as part of the parameter value, check the Enable Allowed Regular Expression List box.
    The screen refreshes, and displays the attack pattern set.
  9. Check the box next to any regular expressions in the list that are acceptable in the context of the parameter value.
  10. Click the Create button to add the parameter to the configuration.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Configuring a binary user-input parameter

The binary data type specifies that the parameter value is text for which the system does not verify meta characters or attack. Typically, you use this data type for binary file uploads. Note that for this data type, you specify only a maximum length.

To configure a binary user-input parameter

  1. Create a new parameter.
  2. For the Parameter Type setting, select User-input value.
    The screen refreshes and displays the Parameter Characteristics area.
  3. In the Parameter Characteristics area, for the Data Type setting, select Binary (Length checks only).
  4. If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
  5. Click the Create button to add the parameter to the configuration.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Configuring a decimal user-input parameter

The decimal data type specifies that the parameter value is numeric, and can include integers and decimals only. For this data type, you can specify a minimum value, a maximum value, and a maximum length.

To configure a decimal user-input parameter

  1. Create a new parameter.
  2. For the Parameter Type setting, select User-input value.
    The screen refreshes and displays the Parameter Characteristics area.
  3. In the Parameter Characteristics area, for the Data Type setting, select Decimal.
  4. If you want the Policy Enforcer to enforce a minimum value for the parameter value, check the Check Min. Value box, and type a number.
  5. If you want the Policy Enforcer to enforce a maximum value for the parameter value, check the Check Max. Value box, and type a number.
  6. If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
  7. Click the Create button to add the parameter to the configuration.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Configuring an email user-input parameter

The email data type specifies that the parameter value is in the email address format. Values for this data type can include letters, numbers, the at meta character ( @ ), the period ( . ) character, and the underscore ( _ ) character. For this data type you can specify only a maximum length.

Note

We recommend that you use the email data type only if the web application has client-side data validation for the parameter.

To configure an email user-input parameter

  1. Create a new parameter.
  2. For the Parameter Type setting, select User-input value.
    The screen refreshes and displays the Parameter Characteristics area.
  3. In the Parameter Characteristics area, for the Data Type setting, select Email.
  4. If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
  5. Click the Create button to add the parameter to the configuration.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Configuring an integer user-input parameter

The integer data type specifies that the parameter value is numeric, and can include only whole numbers. For this data type, you can specify a minimum value, a maximum value, and a maximum length.

To configure an integer user-input parameter

  1. Create a new parameter.
  2. For the Parameter Type setting, select User-input value.
    The screen refreshes and displays the Parameter Characteristics area.
  3. In the Parameter Characteristics area, for the Data Type setting, select Integer.
  4. If you want the Policy Enforcer to enforce a minimum value for the parameter value, check the Check Min. Value box, and type a number.
  5. If you want the Policy Enforcer to enforce a maximum value for the parameter value, check the Check Max. Value box, and type a number.
  6. If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
  7. Click the Create button to add the parameter to the configuration.

Tip


If you want the Policy Enforcer to start enforcing this parameter, be sure to make the security policy active. See Setting the active policy for a web application for more information.

Configuring a phone user-input parameter

The phone data type specifies that the parameter value is in the phone number format. Values for this data type can include numbers, the hyphen meta character ( - ), and the parentheses meta characters ( ( ) ). For this data type you can specify only a maximum length.

Note

We recommend that you use the phone data type only if the web application has client-side data validation for the parameter.

To configure a phone user-input parameter

  1. Create a new parameter.
  2. For the Parameter Type setting, select User-input value.
    The screen refreshes and displays the Parameter Characteristics area.
  3. In the Parameter Characteristics area, for the Data Type setting, select Phone.
  4. If you want the Policy Enforcer to enforce a maximum length (number of bytes) for the parameter value, check the Check Max. Length box, and type a number.
  5. Click the Create button to add the parameter to the configuration.

Tip


Be sure to make the security policy active if you want the Policy Enforcer to start enforcing this parameter. See Setting the active policy for a web application for more information.

Configuring the Allow Empty Value setting

The Allow Empty Value setting specifies whether the Policy Enforcer expects the parameter to have a defined value. When this setting is enabled on a parameter, the Policy Enforcer does not generate an Illegal empty parameter value alert if a client request does not provide a value. Conversely, if the Allow Empty Value setting is disabled (which is the default setting), the system generates the Illegal empty parameter value alert if a client request does not provide a value. The Allow Empty Value setting is applicable to global parameters, web object parameters, and flow parameters.

Configuring the Allow Empty Value setting for a global parameter

You can configure the Allow Empty Value setting either from the Global Parameters screen, or from the Global Parameter Properties screen. To change the Allow Empty Value setting from the Global Parameter Properties screen, refer to Editing the properties of a global parameter . Use the following procedure to change the setting from the Global Parameters screen.

To set the Allow Empty Value setting for a global parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the relevant web application.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the global parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Global Parameters.
    The Global Parameters screen opens.
  5. In the List of Global Parameters area, in the Select column (far left), check the box next to the parameter for which you want to change the Allow Empty Value setting.
  6. In the Allow Empty Value column, check or clear the check box as required for any parameters you selected in the previous step.
  7. Click the Save button (below the List of Global Parameters) to save any changes you may have made.

Configuring the Allow Empty Value setting for a web object parameter

You can configure the Allow Empty Value setting either from the Object Properties screen of the associated web object, or from the Object Parameter Properties screen. To change the Allow Empty Value setting from the Object Parameter Properties screen, refer to Editing the properties of a web object parameter . Use the following procedure to change the setting from the Object Properties screen of the associated web object.

To set the Allow Empty Value setting for a web object parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the relevant web application.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the web object parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Web Objects.
    The Web Objects screen opens.
  5. In the Web Application Objects (Site Map) area, in the Accessible Objects List column, click the name of the web object with which the parameter is associated.
    The Object Properties screen opens.
  6. In the List of Object Parameters area, in the Select column (far left), check the box next to the parameter for which you want to change the Allow Empty Value setting.
  7. In the Allow Empty Value column, check or clear the check box as required for any parameters you selected in the previous step.
  8. Click the Save button (below the List of Object Parameters) to save any changes you may have made.

Configuring the Allow Empty Value setting for a flow parameter

You can configure the Allow Empty Value setting either from the Flow Properties screen of the associated flow, or from the Flow Parameter Properties screen. To change the Allow Empty Value setting from the Flow Parameter Properties screen, refer to Editing the properties of a flow parameter . Use the following procedure to change the setting from the Flow Properties screen.

To set the Allow Empty Value setting for a flow parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the relevant web application.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the flow parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Flows.
    The Flows screen opens.
  5. In the Flows list area, click the Expand button to view the flows.
  6. In the Flows List, click the name of a flow.
    The Flow Properties screen opens.
  7. In the List of Flow Parameters area, in the Select column (far left), check the box next to the parameter for which you want to change the Allow Empty Value setting.
  8. In the Allow Empty Value column, check or clear the check box as required for any parameters you selected in the previous step.
  9. Click the Save button (below the List of Flow Parameters) to save any changes you may have made.

Configuring the Is Mandatory Parameter setting

The Is Mandatory Parameter setting specifies whether a parameter must be present in a flow. You can configure the Is Mandatory Parameter setting either from the Flow Properties screen of the associated flow, or from the Flow Parameter Properties screen. To change the Is Mandatory Parameter setting from the Flow Parameter Properties screen, refer to Editing the properties of a flow parameter . Use the following procedure to change the Is Mandatory Parameter setting from the Flow Properties screen of the associated flow.

Note

You can configure only flow parameters as mandatory.

To set the Is Mandatory Parameter setting for a flow parameter

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the relevant web application.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the flow parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Flows.
    The Flows screen opens.
  5. In the Flows list area, click the Expand button to view the flows.
  6. In the Flows List, click the name of a flow.
    The Flow Properties screen opens.
  7. In the List of Flow Parameters area, in the Select column (far left), check the box next to the parameter for which you want to change the Is Mandatory Parameter setting.
  8. In the Is Mandatory Parameter column, check or clear the check box as required for any parameters you selected in the previous step.
  9. Click the Save button (below the List of Flow Parameters) to save any changes you may have made.

Working with dynamic parameters and extractions

When you configure a dynamic parameter, you also configure the extraction properties for the parameter values.The extraction properties define from where to extract the dynamic parameter values or name, and which method or methods to use for the extraction. When the Application Security Manager receives a request that contains a dynamic parameter, the system then uses the extraction properties to collect the parameter value or name from web application's response to the request. Once the system has extracted the dynamic parameter values, the Policy Enforcer knows what to enforce the next time a request contains the dynamic parameter.

Configuring dynamic content value parameters

Dynamic content value (DCV) parameters are those for which the web application sets the value on the server side. When you configure a DCV parameter in the Application Security Manager, the system verifies that the client is not changing the parameter value, as set by the server, from one request to the next. For example, in an auction application, the price parameter would be a DCV parameter, because you do not want users to tamper with the price value that the server sends to the client.

DCV parameters are often associated with web applications that use sessions. Each user of these applications has unique identifiers, and those identifiers may also change. As a result, the parameters within the web application that help identify the user have dynamic content values.

When you configure a DCV parameter, you also configure the extraction properties for the parameter values. The extraction properties specify the manner in which the Application Security Manager discovers and populates the values for the DCV parameter. By default, the system retains all of the values that it finds for a DCV parameter. In other words, the system does not replace the values it knows about when it extracts a new value.

To configure a dynamic content value parameter

  1. Create a new parameter.
  2. For the Parameter Type setting, select Dynamic content value.
  3. Click the Create button.
    A popup screen opens.
  4. Click OK.
    The Extraction Properties screen opens.
  5. Above the Extract Items Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify from where you want the system to extract the dynamic parameter values. (See Viewing the list of extractions , for more information on this setting.)
  6. Above the Extract Methods Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify the method or methods that you want the system to use to extract the dynamic parameter values. (See Understanding the extraction methods configuration , for more information on this setting.)
  7. Click the Create button to add the new parameter to the configuration.
Note

You should define the extractions for a DCV parameter before you apply the security policy that includes the parameters. If you do not, when you apply the security policy, the policy validator generates a warning that the security policy contains dynamic parameters that do not have extractions defined.

Understanding the extracted items configuration

When you create an extraction for a dynamic parameter, one aspect of the extraction is configuring where, in the response, the system searches for the dynamic parameter. You can configure the system to extract the dynamic parameter values from object types, web objects, and by using pattern matching. Alternately, you can configure the system to extract dynamic parameter values from all items. Table 7.1 describes the extracted items settings.

 

Table 7.1 Extraction locations for dynamic parameters
Extraction item
Description
Object types
Use this setting when you want the system to extract dynamic parameters from files of a certain type. Note that the available object types are those that are already a part of the security policy.
Web objects
Use this setting when you want the system to extract dynamic parameters from specific web objects.
Regexp
Use this setting when you want the system to extract dynamic parameters that match a regular expression pattern. Note that this setting is available only when you select Advanced (above the Extract Items area).
All items
Use this setting when you want the system to extract dynamic parameters from all text-based objects and object types. Note that this setting is available only when you select Advanced (above the Extract Items area).

 

Understanding the extraction methods configuration

Another important aspect of the extraction configuration is defining how the system extracts the dynamic parameter, that is, the extraction method. Table 7.2 describes the extraction methods.

 

Table 7.2 Extraction methods for dynamic parameters
Extraction method
Description
Search in links
Use this setting when you want the system to extract dynamic parameter values from links (href tags) within an object.
Search entire form
Use this setting when you want the system to extract dynamic parameter values from all areas of a form.
Search within form
Use this setting when you want the system to extract dynamic parameter values from a specific frame or parameter within in a form.
Search in XML
Use this setting when you want the system to extract dynamic parameter values from within XML entities.
Search in response body
Use this setting when you want the system to extract dynamic parameter values from the body of a response.

 

Configuring parameter characteristics for dynamic parameter names

In some web applications, DCV parameters also have dynamic names. You can use the parameter type, Dynamic parameter name, when you want the Policy Enforcer to enforce the dynamic names as well as dynamic values. Note that the Dynamic parameter name parameter type is applicable only when you are configuring a flow parameter.

When you configure a dynamic parameter name, you also configure the extraction properties. The extraction properties specify the manner in which the Application Security Manager discovers the parameter names.

To configure a dynamic parameter name parameter

  1. Create a flow parameter (See Creating a flow parameter ).
  2. For the Parameter Type setting, select Dynamic parameter name.
    The screen refreshes, automatically generates a unique name in the Parameter Name setting, and displays the Dynamic Parameter Properties area.
  3. In the Dynamic Parameter Properties area, for the Extract Parameter from Object setting, specify the web object from which you want the system to extract the dynamic parameter.
  4. Next, select whether the system searches for the parameter in a form, or in the response body.
    • If the parameter is located in a form, select Search Within Form, and specify the form index and parameter index.
    • If the parameter is located in the HTTP/S response, select Search parameters in response body. In the By Pattern box, type a regular expression that represents the parameter name pattern. Clear the Check parameter value box if you do not want the system to enforce whether the parameter has a value.
  5. Click the Create button to add the new parameter to the configuration.

Configuring an extraction

You can configure an extraction that creates a global DCV parameter. When you create an extraction by using the Extractions screen, you have the option of associating it with an existing DCV parameter, or creating a new parameter (by typing a new name in Step 6 of the following task). If you type a new name, the system automatically creates a new global DCV parameter, because extractions must be associated with a DCV parameter. They cannot exist independently.

To create an extraction

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are creating an extraction.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the extraction.
    The Policy Properties screen opens.
  4. On the menu bar, click Extractions.
    The Extractions screen opens.
  5. Above the List of Extractions area, click the Create button.
    The Extraction Properties screen opens.
  6. In the Extraction Properties area, for the Name setting, select an existing name, or type a new name in the box. Note that the existing name options are the names of dynamic content value parameters. If you type a new name, you are creating a new global parameter, by default.
  7. Above the Extract Items Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify from where you want the system to extract the dynamic parameter values. (See Understanding the extracted items configuration , for more information on this setting.)
  8. Above the Extract Methods Configuration area, select Basic or Advanced (Advanced provides additional configuration options), and then specify the method or methods that you want the system to use to extract the dynamic parameter values. (See Understanding the extraction methods configuration , for more information on this setting.)
  9. Click the Create button to add the new extraction to the configuration.

Viewing the list of extractions

On the Extractions screen, you can review all of the parameter extractions that are configured in the security policy. You can also review the parameter extractions for a specific web object on the properties screen for that web object. See Working with the Web Objects entity for more information on web object properties.

To view the configured extractions

  1. On the Main tab of the navigation pane, expand Application Security and then click Web Applications.
    The Web Application Groups screen opens.
  2. In the Name column, click the name of the web application for which you are creating a global parameter.
    The Web Application Properties screen opens.
  3. In the Security Policies List area, in the Security Policy Name column, click the name of the security policy that will enforce the web object parameter.
    The Policy Properties screen opens.
  4. On the menu bar, click Extractions.
    The Extractions screen opens, where you can view the extractions that are in the security policy.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)