Policy access_rights not blocking url access

ECL_DSI · February 24, 2022, 12:54pm

Hi
I’m facing to difficulties to block access to some URL inside policy
Ex
with 2 urls service

path/company/pdf/template (get)
path/company/pdf/tools/infoversion (get)

        "access_rights": {
            "a693c391-f67e-4bb0-bb26-4d71664ddd81" : {
                "allowed_urls": [
                        {
                            "path": "/company/pdf/template",
                            "methods": ["GET"]
                        }
                 ],

with this definition inside policy I was thinking to allow only /company/pdf/template access but both URL are still available
Question : if an URL isn’t inside “allowed_urls”: [ ] is it forbidden?
How to process?

Thanks
S.

Michael.m · February 24, 2022, 6:39pm

Hi @ECL_DSI

Welcome back to the Community.

If no URL is present in the Allowed URLs then it allows access to all URLs.

You can opt and specify only the restricted URLs, i.e., a black list rather than white list.

In this case, you can use a negative lookup to blacklist the specific URL.

For example, something like /api-listen-path/[^xml].* will blacklist the XML URL only.

This will get more complicated if you try to add more and more URLs to the blacklist.

I would recommend that you use the endpoint designer and blacklist the URL directly using our plugins.

The “allowed URLs” parameter can accept a regex. You can write the regex to allow all traffic except for whatever matches your setup.

Negative lookups/lookbacks

Let me know if you have any further questions.

ECL_DSI · February 25, 2022, 7:32am

Hi
regarding your answer

You can opt and specify only the restricted URLs, i.e., a black list rather than white list.

=> if I’m right, this white/black list is only applied at application level not policy (according to documentation)

Goal here is to define an app opening all URL, but with 2 different policies with different allow / forbidden URL (some are administration oriented) and then keys on them
My question was about the way to allow couple of URL / method (and to forbid others in same way) inside a policy
But all test I applied are failing.

note: I’m using community version

thanks

S.

Olu · March 1, 2022, 1:41pm

Hi @ECL_DSI, I can see that your allowed_urls json is misconfigured. It should be url rather than path as shown our documentation.

    "allowed_urls": [
        {
            "url": "/resource/(.*)",
            "methods": ["GET", "POST"]
        }
    ]

Let us know if this resolves the issue.

ECL_DSI · March 1, 2022, 2:04pm

Hi
You are right, once “url” used in place of “path”, mechanism is working fine with all requested granularities.

Thanks