Junctions to Windows file systems

WebSEAL performs security checks on client requests to junctioned back-end servers based on the file paths specified in the URL. A compromise in this security check can occur because Win32 file systems allow two different methods for accessing long file names.

The first method acknowledges the entire file name. For example:

abcdefghijkl.txt

The second method recognizes the old 8.3 file name format for backward compatibility. For example:

abcdef~1.txt

When you create junctions in a Windows® environments, it is important to restrict access control to one object representation only and not allow the possibility of "back doors" that bypass the security mechanism.

The –w option on a junction provides the following measures of protection:

• Prevents the use of the 8.3 file name format

  When the junction is configured with the –w option, a user cannot avoid an explicit ACL on a long file name by using the short (8.3) form of the file name. The server returns a "403 Forbidden" error on any short form file name entered.

• Disallows trailing dots in directory and file names

  If a file or directory contains trailing dots, a 403 "Forbidden" error is returned.

• Enforces case-insensitivity by setting the –i option
  The –w option automatically invokes the –i option. This option specifies that WebSEAL treat URLs as case-insensitive when performing authorization checks on a request to a junctioned back-end server. After a successful ACL check, the original case of the URL is restored when the request is sent to the back-end server.

  Note: If you require control over case-insensitivity only for file names, use only the –i option on the junction instead of the –w option.

The –w option is also supported on virtual host junctions.