How to configure a pass through url in IHS Server and check a cookie for rest url?

Question

In IBM IHS Server I want to allow few urls to pass to app server(WAS) without validation and rest will be validated by a HTTP cookie.

So for example /Foo.do, /example.html, /example.css will be allowed by the IHS Server as passthrough. Rest of the incoming URLs will be validated by the cookie (Configured in IHS Server configuration like WAS plugin xml) whether the browser has that cookie or not.

Checking for a specific cookie is very primtiive access control that can be easily subverted. What's the underlying goal? — covener, May 13 '15 at 19:55

score 0 · Answer 1 · answered May 27 '15 at 16:31

While it's a bad idea because a secret cookie for access is pretty weak , one way to do this is to use mod_rewrite to inspect the cookie and forbid access if it's not present:

RewriteEngine ON
RewriteCond %{REQUEST_URI} ^/(Foo.do|example.html|example.css) [OR]
RewriteCond %{HTTP_COOKIE} my-secret-cookiename
RewriteRule .* - [L]
RewriteRule .* - [F]

The first rule skips the second rule when either of the conditions match. The 2nd rule fails the request with a 403.

You would need these rules once appended to httpd.conf and once in each <virtualhost>

How to configure a pass through url in IHS Server and check a cookie for rest url?

1 Answers1