IBM Verify

 View Only

  • 1.  WAF triggering after Authentication

    Posted Sat July 20, 2024 05:22 AM

    Dear All,

    I would like to ask you about WAF triggering. Is it possible to trigger WAF after user authentication?
    If possible we would like to trigger WAF based on IV_GROUPS. So if user member of a dedicated group WAF should be used. Otherwise the particular Junction should be available without any WAF checking.

      Regards,



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------


  • 2.  RE: WAF triggering after Authentication

    Posted Mon July 22, 2024 05:09 PM

    Janos,

     

    The WAF processing, by necessity, actually occurs extremely early in the request processing, well before authentication takes place.

     

    You can trigger the WAF processing via Lua transformation rules (see: https://www.ibm.com/docs/en/sva/10.0.8?topic=developing-lua-module-documentation-webseal-http-transformation-rules / LuaControl.triggerWAF).  Unfortunately this function can only be used during the processing of a 'request' rule – and so you won't have access to the session at this point in time.  You would however need to use something from the request (maybe a special cookie) to determine whether the WAF processing is required or not.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     




    Original Message


  • 3.  RE: WAF triggering after Authentication

    Posted Tue July 23, 2024 01:46 AM

    Hello Scott,

    Thank you for these information. LUA solution is working but only in "request" as you mentioned. 

    Regards,



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------

    Original Message


  • 4.  RE: WAF triggering after Authentication

    Posted Tue July 23, 2024 01:57 AM

    Janos,

     

    The only other thing which you could do is to create a post-authentication Lua script which sets a response cookie to indicate whether WAF processing is required.  This would be relatively easy to do, but you would also need to evaluate whether it would be an issue if a malicious user removed the cookie before sending the request

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     




    Original Message