Modification of server-relative URLs with junction mapping

Edit online

Server-relative URLs generated on the client-side by applets and scripts initially lack knowledge of the junction point. WebSEAL cannot filter the URL because it is generated on the client-side.

During a client request for a resource by using this URL, WebSEAL can attempt to reprocess the server-relative URL by using a junction-mapping table. A junction-mapping table maps specific target resources to junction names. Junction mapping is an alternative to the cookie-based solution for filtering dynamically generated server-relative URLs.
Note: The junction-mapping table is purely used to map an incoming request to a junction. It does not impact the response that the junction generates. The URLs contained in the response are filtered according to the rules of the junction.

WebSEAL checks the location information in the server-relative URL with the data that is contained in the junction-mapping table. WebSEAL searches from the beginning of the table and continues downward through the table. If the path information in the URL matches any entry in the table during the search, WebSEAL directs the request to the junction associated with that location.

The table is an ASCII text file called jmt.conf. The name of this file is specified in the [junction] stanza of the WebSEAL configuration file: 
jmt-map = jmt.conf

The format for data entry in the table consists of the junction name, a space, and the resource location pattern. You can also use wildcard characters to express the resource location pattern.

In the following example of the junction-mapping, configuration file, two servers are junctioned to WebSEAL at /jctA and /jctB: 
#jmt.conf
#junction-name resource-location-pattern
/jctA /documents/release-notes.html
/jctA /travel/index.html
/jctB /accounts/*
/jctB /images/weather/*.jpg

Create the jmt.conf mapping table. This file does not exist by default. After you create the file and add data, use the jmt load command to load the data so that WebSEAL has knowledge of the new information. 

pdadmin> server task server-name jmt load
JMT table successfully loaded.
The following conditions apply to the junction-mapping table solution:
  • The junction-mapping solution handles inbound requests that WebSEAL intercepts. WebSEAL does not intercept requests made by using unfiltered absolute URLs that point to a server external to the WebSEAL environment. The junction-mapping table solution does not handle those requests.
  • This solution does not require the –j option or junction cookie.
  • The mapping table requires setup and activation by a security administrator.
  • Resource-location-pattern matching must be unique across the local web space and across junctioned web application servers.
  • If there is a duplicate pattern entry in the file, the mapping table does not load. However, WebSEAL continues to run.
  • If there is an error while loading the mapping table, the mapping table is not available. However, WebSEAL continues to run.
  • If an error occurs while the mapping table loads, the mapping table is not available. However, WebSEAL continues to run.
  • Any errors that occur while loading the mapping table result in serviceability entries in the WebSEAL server log file (webseald.log).
  • By default, WebSEAL modifies the names of nondomain cookies that are returned in responses from junctioned applications. These names are modified across all junctions that are listed in the junction-mapping table. WebSEAL creates unique cookie names to prevent possible naming conflicts with cookies that are returned across other junctions. There are two methods for disabling this feature:

    See Handling cookies from servers across multiple -j junctions.

See also Controlling server-relative URL processing in requests.