Based in Melbourne, Australia.

Developer
Life

HTTP Transformation - XSLT-buffer-size

HTTP Transformation - XSLT-buffer-size

Anthony Galiamov
WebSEAL, ISAM

Contents

Overview

The HTTP requests and responses received by WebSEAL are expressed as XML objects and can be manipulated using XSL transformations. In IBM Security Verify Access 10, the XSLT engine gets a bit of an update, which once we built up the users credentials, can cause some of the rules we have can start failing resulting in the following error in our pdweb.http.transformation logs.

pdweb.http.transformation
trace.pdweb.http.transformation:6 /build/isam/src/i4w/pdweb/webseald/http/transformation/HTTPTransformationEngine.cpp:470: RETURN HTTPTransformationEinge::processResponseByResource Returning 951690418 because api-transform-resp xslt-buffer-size too small

So, what does this error mean and how to fix the issue?

Cause

The XSLT engine in ISAM and Verify Access generates HTTP { Request || Response } Change data with unnecessary text in some conditions. The XSLT engine includes the text part of these elements into the change data. This text makes no impact to HTTP transformation process, however, this does occupy the xslt-buffer-size.

Before ISAM 9.0.7.1 WebSEAL had a fixed buffer size for processing HTTP Transformations. This limit could be exceeded if the request in question had a large header such as when a user has many groups.

Solution

Add templates for all of elements in input data. For unused elements, use following simple templates.

<xsl:template match="//HTTPRequest/Credential" />
<xsl:template match="//HTTPRequest/RequestLine" />
<xsl:template match="//HTTPRequest/Headers" />
<xsl:template match="//HTTPRequest/Cookies" />

<xsl:template match="//HTTPResponse/Credential" />
<xsl:template match="//HTTPResponse/ResponseLine" />
<xsl:template match="//HTTPResponse/Headers" />
<xsl:template match="//HTTPResponse/Cookies" />
<xsl:template match="//HTTPResponse/HTTPRequest" />

Additionally, in ISAM 9.0.7 and Verify Access we can increase the xslt-buffer-size by adding it to the [http-transformations:<resource-name>] stanza.

[http-transformations:api-transform-resp]
xslt-buffer-size = 16384
request-match = response:POST /sso/sps/authorise*
Hacking Google? - Protecting Yourself From Google Dorking

Hacking Google? - Protecting Yourself From Google Dorking
Basics to using grep

Basics to using grep