Policy Enforcement for Proxy Ports
When requests are received on the proxy port (http) or proxy-tls port (https) the WAMulator delegates to an instance of the RequestHandler class. That instance lives for the duration of a single http request and response cycle and is then discarded. To enforce configured Policies, Request Handler must first associate the request with a specific configured policy and then identify if the request meets the conditions of access for that policy. To do so it must take several steps.
Finding a <by-site> Matcher
Internally, the WAMulator represents access configuration in a an instance of TrafficManager. RequestHandler delegates to TrafficManager to see if the request matches the scheme, host, and port of a configured <by-site> element. Each <by-site> element is represented by an instance of SiteMatcher. For each <by-site> element a SiteMatcher is created and placed in TrafficManager and knows the scheme, host, and port allowed for that <by-site> element. Finding a SiteMatcher for the request is the first step toward finding a policy for a given request.
Determining Unenforced versus Restricted
In addition to the scheme, host, and port, SiteMatcher is a container for several classes of objects used for the next step. These objects are associated with declarations in the policy configuration file for a given <cctx-mapping> element. The cctx-mapping element represents an application and defines where requests for that application will be proxied. For requests to be considered part of that application they must match the URL path requirements of the cctx-mapping's policy configuration file. To be proxied to the backing application server, such requests must then meet corresponding access requirements in the same policy configuration file. The thost and tport ... to be continued...
Determining Conformance to Controlled Access
... to be continued...
delegates to several architectural components to identify if the request matches any poKey steps taken by RequestHandler are:
- Parsing the request into an HttpPackage instance.
- Enforce local port access only if applicable. (See the <port-access> config element)
- Identify the request as SSO Traffic if it matches a configured <by-site> element's scheme, host, and port
- Enforce SSO Traffic only if applicable (See the <config> element's allow-non-sso-traffic attribute)
- Handle Cross Domain SSO redirects
For the SSO traffic, RequestHandler further performs these steps to enforce access restrictions for URLs based upon configured policy.
- Injects General Headers (See WAMulator Injected Headers)
- Translate an incoming cookie to a user and determine if an active session is had
- Applies forced sign-in/sign-out if indicated with suitable query parameters (See WAMulator Injected Headers)