Bypassing buffering on a per-resource basis

WebSEAL uses an internal buffer when processing data sent in requests to WebSEAL and responses from junction applications.

About this task

This buffering typically provides performance improvement. For certain applications that send or return small amounts of data, the buffering can cause the data to be held temporarily at WebSEAL while the buffer is being filled. For some applications, it might be preferable to bypass the buffering and stream the data directly to the junctioned server or to the clients. This scheme is not efficient for general web traffic; apply it only to particular resources that require streamed data. For example, apply it to junctions configured for RPC over HTTP communication. See Microsoft RPC over HTTP.

You can apply a protected object policy (POP) to individual resources that directs WebSEAL to bypass buffering for those resources. To bypass buffering for a particular resource response, attach a POP to the resource with an attribute named response-buffer-control set with the value bypass. To bypass buffering for a particular resource request, attach a POP to the resource with an attribute named request-buffer-control set with the value bypass.

The following example

Procedure

  1. Create a POP named bypassPOP with the appropriate attributes. 
    pdadmin> pop create bypassPOP
pdadmin> pop modify bypassPOP set attribute response-buffer-control bypass
pdadmin> pop modify bypassPOP set attribute request-buffer-control bypass
  2. Attach the POP to the chosen resource. 
    pdadmin> pop attach /WebSEAL/myinstance/myjunction/cgi-bin/smallCGI bypassPOP

    This POP only affects the data in the body of the request or response that is received from the client or junction. WebSEAL still buffers the request and response headers.

    When buffering HTTP requests using this POP technique, there are limitations. Certain WebSEAL functions require the entire request body, and this body is not available when streaming a request to a junctioned server.

    The following WebSEAL functionality cannot be used when using request streaming:

    Note: WebSEAL response streaming can still be applied to resources that use this WebSEAL functionality.
    • Caching of POST data during the authentication process.
    • Dynamic authorization decision information (dynADI) when POST data is part of the decision evaluation.
    • Dynamic URLs (dynURL) when POST data is part of the decision evaluation.
Parent topic: Advanced junction configuration
Related concepts:
Mutually authenticated SSL junctions
TCP and SSL proxy junctions
WebSEAL-to-WebSEAL junctions over SSL
Stateful junctions
Use of /pkmslogout with virtual host junctions
Junction throttling
Management of cookies
Passing of session cookies to junctioned portal servers
Support for URLs as not case-sensitive
Junctions to Windows file systems
Standard junctions to virtual hosts
UTF-8 encoding for HTTP header data
Single sign-on solutions across junctions
Related tasks:
Forcing a new junction