Hi,
Scenario: To validate the required incoming url (ie part of incoming url /string information of BasePath information to be “XXX” or “YYY” or “ZZZ”):
We are validating the BasePath of URL as indicated below.
https://myvhost/*/ggg/yyy (Correct path is https://myvhost/XXX/ggg/yyy)) * given as example for URL
(validation is for part, which is displayed as * ) like this part need to be certain value like either that * part of BasePath could be “XXX” or “YYY” or “ZZZ”. value comes in incoming BasePath.
Eg:
(is the ApigeeSaaS URL to invoke backend from POSTMAN, Its : HTTP GET Request)
In such url for * (BasePath) validation the Java script logic is listed below.
var basePath = context.getVariable("proxy.url");
var valid = false;
var fun = basePath.split("/");
var urlString= fun[3];
print("urlString ---"+ urlString);
if ( urlString == "XXX" || urlString =="YYY" || urlString =="ZZZ") {
valid = true;
}
context.setVariable("ValidateStatus",valid);
context.setVariable("resourcepath", urlString);
In above scenario (Proxy Endpoint ‘default’ Preflow information) is listed below..
Eg: Flow of Proxy EndPoint proxy (High level Flow information) (In ProxyEndPoint “PreFlow”)
Overall logic of Preflow is
Starts with Secured Shared Flow – > Api Key Validation → Invoke OKTA for Token and required logics – > ValidateEntitlementsInformation (Java Script) etc..
Note: ValidateEntitlementsInformation is the name of the Java script logic, which validates the * information of the URL either to be “XXX” or “YYY” or “ZZZ”. As below
<ProxyEndpoint name="default">
<PreFlow name="PreFlow">
<Request>
<Step>
<Name>Security-Shared Flow</Name>
</Step>
<Step>
<Name>Verify-APIKey-OKTA</Name>
</Step>
<Step>
<Name>Verify-OKTA-JWT</Name>
</Step>
<Step>
<Name>JavaScript-ValidateEntitlementsInformation</Name>
</Step>
<Step>
<Name>Raise-Fault</Name>
<Condition>(ValidateStatus == false)</Condition>
</Step>
<Step>
<Name>ExtractRoleInfo</Name>
<Condition>(scopes==null or scopes=="")</Condition>
<Name>Raise-Fault-1</Name>
<PostFlow name="PostFlow">
</PostFlow>
<Flows>
<Flow name="GetUserProfile">
<Description>Gets User Profile Information</Description>
<Condition>(proxy.pathsuffix MatchesPath "/") and (request.verb = "GET")</Condition>
</Flows>
<HTTPProxyConnection>
<BasePath>/*/v1/api</BasePath>
<Properties/>
<VirtualHost>secure</VirtualHost>
</HTTPProxyConnection>
<RouteRule name="default">
<TargetEndpoint>default</TargetEndpoint>
</RouteRule>
</ProxyEndpoint>
In order to avoid the writing * to tag as indicated above, do we have any logic or any patterns to avoid * . in the , under ?
We want to avoid * in which could be security issue, hence what will the valid URL information without using * . ie indicated scenario requires validation of * to be “XXX” or “YYY” or “ZZZ” which I am taking care in JavaScript which works fine.
Require your suggestions in case handled any such cases.
Let me know if you require any additional information.
