ISAM Selective use of Local Response Redirect

In ISAM using the Local Response Redirect capability has traditionally been overkill when using it for an EAI for a login operation. The reason being, almost any error or management page that is traditionally handled by ISAM now gets redirected to your EAI. Including Login operations, Logout page, Stepup and other authentication related operations.

It is possible however to configure the Local Response Redirect to only trigger for certain operations, and leave WebSEAL to handle the rest.

First up, enable LRR:

# Enable/disable sending a redirect instead of serving management or error
# pages from the local system.
# The local-response-redirect-uri parameter must be set in order for this
# option to function.
# This configuration item may be customized for a particular junction
# by adding the adjusted configuration item to a [acnt-mgt:{jct_id}] stanza,
# where '{jct-id}' refers to the junction point for a standard junction
# (include the leading '/'), or the virtual host label for a virtual host
# junction.
enable-local-response-redirect = yes

Then configure the URI’s for the desired operations:

# URLs to which management page requests are redirected. All management
# requests will be redirected to the URLs with a query string indicating
# the operation requested, along with any macros (as configured in the
# [local-response-macros] stanza). See the WebSEAL Admin Guide for the
# specific format of the query string, and how the receiving handler should
# treat the requests.
local-response-redirect-uri = [login] /jct/cgi-bin/eai

Where the operation “login” is declared in ‘[ ]’ before the URI.

The operations that can be chosen are listed below:

  • logout
  • passwd
  • passwd_warn
  • passwd_warn_failure
  • acct_inactivated
  • acct_locked
  • passwd_exp
  • passwd_rep_success
  • passwd_rep_failure
  • help
  • login
  • login_success
  • token_login
  • cert_login next_token
  • switch_user
  • failed_cert
  • cert_stepup_http
  • stepup
  • error
  • too_many_sessions
  • tempsession

This is much better than configuring your EAI to handle all the error conditions, and means you can streamline it to just the login operations, but still use LRR.

Don’t forget you can configure WebSEAL to follow redirects for you automatically too – meaning you can hide any 302’s generated by the Local Response Redirect!


# WebSEAL is capable of examining 302 responses and processing the redirects
# internally if they are destined for the current server using the same
# protocol. This configuration entry controls the requests for which this
# redirect functionality is enabled. A case-sensitive comparison will be made
# between the configuration entry and the HTTP request line. Shell-style
# pattern matching for '*', '?', '' and '[]' can be used in the comparison
# (excluding special match strings).
# Special match strings:
# - "!LRR!" will match any request resulting in a Local Response Redirect
# action occurring.

follow-redirects-for = !LRR!

One thought on “ISAM Selective use of Local Response Redirect

Comments are closed.

Website Built with

Up ↑

%d bloggers like this: