Junctions to Windows file systems

WebSEAL performs security checks on client requests to junctioned back-end servers based on the file paths specified in the URL. A compromise in this security check can occur because Win32 file systems allow two different methods for accessing long file names.

The first method acknowledges the entire file name. For example:

abcdefghijkl.txt

The second method recognizes the old 8.3 file name format for backward compatibility. For example:

abcdef~1.txt

When you create junctions in a Windows environments, it is important to restrict access control to one object representation only and not allow the possibility of "back doors" that bypass the security mechanism.

The –w option on a junction provides the following measures of protection:

• Prevents the use of the 8.3 file name format

  When the junction is configured with the –w option, a user cannot avoid an explicit ACL on a long file name by using the short (8.3) form of the file name. The server returns a "403 Forbidden" error on any short form file name entered.

• Disallows trailing dots in directory and file names

  If a file or directory contains trailing dots, a 403 "Forbidden" error is returned.

• Enforces case-insensitivity by setting the –i option
  The –w option automatically invokes the –i option. This option specifies that WebSEAL treat URLs as case-insensitive when performing authorization checks on a request to a junctioned back-end server. After a successful ACL check, the original case of the URL is restored when the request is sent to the back-end server.

  Note: If you require control over case-insensitivity only for file names, use only the –i option on the junction instead of the –w option.

The –w option is also supported on virtual host junctions. See Virtual host junctions and Command option summary: Virtual host junctions.