This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

URL BasePath validation Best Practices.

Posted on 06-10-2019 07:42 PM
abiramradhakris
New Member
Reply posted on --/--/---- --:-- AM

Hi,

Scenario: To validate the required incoming url (ie part of incoming url /string information of BasePath information to be "XXX" or "YYY" or "ZZZ"):

We are validating the BasePath of URL as indicated below.

https://myvhost/*/ggg/yyy (Correct path is https://myvhost/XXX/ggg/yyy) * given as example for URL

(validation is for part, which is displayed as * ) like this part need to be certain value like either that * part of BasePath could be “XXX” or “YYY” or “ZZZ”. value comes in incoming BasePath.

Eg:

https://myvhost/*/ggg/yyy

(is the ApigeeSaaS URL to invoke backend from POSTMAN, Its : HTTP GET Request)

In such url for * (BasePath) validation the Java script logic is listed below.

	var basePath = context.getVariable("proxy.url");
	var valid = false;
	var fun = basePath.split("/");
	var urlString= fun[3];
	print("urlString ---"+ urlString);
	if ( urlString == "XXX" || urlString =="YYY" || urlString =="ZZZ") {
	valid = true;
	}
	context.setVariable("ValidateStatus",valid);
	context.setVariable("resourcepath", urlString);

In above scenario (Proxy Endpoint ‘default’ Preflow information) is listed below..

Eg: Flow of Proxy EndPoint proxy (High level Flow information) (In ProxyEndPoint “PreFlow”)

Overall logic of Preflow is

Starts with Secured Shared Flow -- > Api Key Validation --> Invoke OKTA for Token and required logics -- > ValidateEntitlementsInformation (Java Script) etc..

Note: ValidateEntitlementsInformation is the name of the Java script logic, which validates the * information of the URL either to be “XXX” or “YYY” or “ZZZ”. As below

<ProxyEndpoint name="default">
  <PreFlow name="PreFlow">
    <Request>
      <Step>
        <Name>Security-Shared Flow</Name>
      </Step>
      <Step>
        <Name>Verify-APIKey-OKTA</Name>
      </Step>
      <Step>
        <Name>Verify-OKTA-JWT</Name>
      </Step>
      <Step>
        <Name>JavaScript-ValidateEntitlementsInformation</Name>
      </Step>
      <Step>
        <Name>Raise-Fault</Name>
        <Condition>(ValidateStatus == false)</Condition>
      </Step>
      <Step>
        <Name>ExtractRoleInfo</Name>
        <Condition>(scopes==null or scopes=="")</Condition>
        <Name>Raise-Fault-1</Name>
        <PostFlow name="PostFlow">
        </PostFlow>
        <Flows>
          <Flow name="GetUserProfile">
            <Description>Gets User Profile Information</Description>
            <Condition>(proxy.pathsuffix MatchesPath "/") and (request.verb = "GET")</Condition>
          </Flows>
          <HTTPProxyConnection>
            <BasePath>/*/v1/api</BasePath>
            <Properties/>
            <VirtualHost>secure</VirtualHost>
          </HTTPProxyConnection>
          <RouteRule name="default">
            <TargetEndpoint>default</TargetEndpoint>
          </RouteRule>
        </ProxyEndpoint>

In order to avoid the writing * to <BasePath> tag as indicated above, do we have any logic or any patterns to avoid * . in the <BasePath>, under <HTTPProxyConnection>?

We want to avoid * in <BasePath> which could be security issue, hence what will the valid <BasePath> URL information without using * . ie indicated scenario requires validation of * to be "XXX" or "YYY" or "ZZZ" which I am taking care in JavaScript which works fine.

Require your suggestions in case handled any such cases.

Let me know if you require any additional information.

0 3 1,540
Topic Labels
0 Likes
Reply
3 REPLIES 3
Top Solution Authors
View all