IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  WAF triggering after Authentication

    Posted Sat July 20, 2024 05:22 AM

    Dear All,

    I would like to ask you about WAF triggering. Is it possible to trigger WAF after user authentication?
    If possible we would like to trigger WAF based on IV_GROUPS. So if user member of a dedicated group WAF should be used. Otherwise the particular Junction should be available without any WAF checking.

      Regards,



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------


  • 2.  RE: WAF triggering after Authentication

    Posted Mon July 22, 2024 05:09 PM

    Janos,

     

    The WAF processing, by necessity, actually occurs extremely early in the request processing, well before authentication takes place.

     

    You can trigger the WAF processing via Lua transformation rules (see: https://www.ibm.com/docs/en/sva/10.0.8?topic=developing-lua-module-documentation-webseal-http-transformation-rules / LuaControl.triggerWAF).  Unfortunately this function can only be used during the processing of a 'request' rule – and so you won't have access to the session at this point in time.  You would however need to use something from the request (maybe a special cookie) to determine whether the WAF processing is required or not.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     




    Original Message


  • 3.  RE: WAF triggering after Authentication

    Posted Tue July 23, 2024 01:46 AM

    Hello Scott,

    Thank you for these information. LUA solution is working but only in "request" as you mentioned. 

    Regards,



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------

    Original Message


  • 4.  RE: WAF triggering after Authentication

    Posted Tue July 23, 2024 01:57 AM

    Janos,

     

    The only other thing which you could do is to create a post-authentication Lua script which sets a response cookie to indicate whether WAF processing is required.  This would be relatively easy to do, but you would also need to evaluate whether it would be an issue if a malicious user removed the cookie before sending the request

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     




    Original Message


Related Content