Manual Chapter :
Securing Web Applications Created with Google Web Toolkit
Applies To:
Show Versions
BIG-IP ASM
- 14.1.3, 14.1.2, 14.1.0
Securing Web Applications Created with Google Web Toolkit
Overview: Securing Java web applications created with Google Web Toolkit elements
Google Web Toolkit (GWT)
is a Java framework that is used to create AJAX
applications. When you add GWT enforcement to a security policy, the Security Enforcer can detect
malformed GWT data, request payloads and parameter values that exceed length limits, attack
signatures, and illegal meta characters in parameter values. This implementation describes how to
add GWT support to an existing security policy for a Java web application created with GWT
elements. Task summary
Creating a Google Web Toolkit profile
Before you can begin this task, you need to create a security policy for the web application that you are creating using Google Web Toolkit (GWT).
A GWT profile defines what the security policy enforces and considers legal when it detects traffic that contains GWT data.
The system supports GWT in
UTF-8 and UTF-16 encoding.
- On the Main tab, click .
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The Create New GWT Profile screen opens.
- Type a name and optional description for the profile.
- For theMaximum Total Length of GWT Datasetting, specify the maximum byte length for the request payload or parameter value that contains GWT data.The default is10000bytes.AnySpecifies that there are no length restrictions.LengthSpecifies, in bytes, the maximum data length that is acceptable.
- For theMaximum Value Lengthsetting, specify the longest acceptable value for a GWT element that occurs in a document that the security policy allows.The default is100bytes.AnySpecifies that there are no length restrictions.LengthSpecifies, in bytes, the maximum acceptable length.
- Clear theTolerate GWT Parsing Warningscheck box if you want the system to report warnings about parsing errors in GWT content.
- To change the security policy settings for specific attack signatures for this GWT profile, from theGlobal Security Policy Settingslist, select the attack signatures and then move them into theOverridden Security Policy Settingslist.If no attack signatures are listed in theGlobal Security Policy Settingslist, create the profile, update the attack signatures, then edit the profile.
- In theOverridden Security Policy Settingslist, enable or disable each attack signature as needed:EnabledEnforces the attack signature for this GWT profile, although the signature might be disabled in general. The system reports the Attack Signature Detected violation when the GWT data in a request matches the attack signature.DisabledDeactivates the attack signature for this GWT profile, although the signature might be enabled in general.
- To allow or disallow specific meta characters in GWT data (and thus override the global meta character settings), click the Value Meta Characters tab.
- Select theCheck characterscheck box, if it is not already selected.
- Move any meta characters that you want allow or disallow from theGlobal Security Policy Settingslist into theOverridden Security Policy Settingslist.
- In theOverridden Security Policy Settingslist, change the meta character state toAlloworDisallow.
- ClickCreate.The system creates the profile and displays it in the GWT Profiles list.
The security policy does not enforce the GWT profile settings until you associate the GWT profile with any URLs that might include GWT data.
Associating a Google Web Toolkit profile with a URL
Before you can associate a Google Web Toolkit (GWT) profile with a URL, you need to create a security policy with policy elements, including application URLs and the GWT profile.
When you associate a GWT profile with a URL in a security policy, the Security Enforcer can apply specific GWT checks to the associated requests.
- On the Main tab, click .
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- In the Allowed URLs List area, click the name of a URL that might contain GWT data.The Allowed URL Properties screen opens.
- From theAllowed URL Propertieslist, selectAdvanced.
- For theHeader-Based Content Profilessetting, specify the characteristics of the traffic to which the GWT profile applies.
- In theRequest Header Namefield, type the explicit string or header name that defines when the request is treated as theParsed Astype; for example,Content-Type.This field is not case-sensitive.
- In theRequest Header Valuefield, type a wildcard character (including *, ?, or [chars]) for the header value; for example,*gwt*.This field is case-sensitive.
- For theParsed Assetting, selectGWT.
- For theProfile Namesetting, select the GWT profile that you created from the list.
- ClickAdd.The system adds the header and profile information to the list.
- If you have multiple headers and profiles defined, you can adjust the order of processing.
- ClickUpdate.
- To put the security policy changes into effect immediately, clickApply Policy.
When the system receives traffic that contains the specified URLs, the Security Enforcer applies the checks you established in the GWT profile, and takes action according to the corresponding blocking policy.
Implementation result
You have now added Google Web Toolkit (GWT) support to a security policy. When the Security
Enforcer detects GWT traffic that matches the URLs defined in the security policy, the selected
parameters are enforced as you have indicated.
