About application policy Resource Path precedence

Access Gateway applications can have multiple policies. Each policy is associated with a Resource path containing a URI, a rule type and other information. When a request is received for application with multiple policies, policies are evaluated in precedence order.

In general, policies are evaluated in the following order:

  • Custom policy - Custom policies are evaluated first, in the order in which they were entered chronologically.  First added to most recent.
  • Longest to shortest - For example /a/b/c is evaluated before /a/b.
  • Training or not trailing slash - Resource path ending with /(slash) are treated as exact match. Resource paths not ending with /(slash) are treated as a prefix.
    For example: /rest matches /restaurant, /rest/ does not.
  • For policies of the same length , case sensitive policies are evaluated before case insensitive policies.
  • Default policy, specified by '/' is applied.

The following are example policy URI and their behavior:

URI rule and example Case sensitive Case insensitive
Custom Evaluated before all other URIs policies.
Evaluated in order originally entered.
May include regular expressions in Resource Path. .
URI rule: /a/b/C
Example:/a/b/C
/a - does not match.
/a/b - does not match.
/a/b/c - does not match.
/a - does not match.
/a/b - does not match.
/a/b/c - matches if no case sensitive rule.
/a/b/C - matches

URI rule: /a/b/C
Example:/a/b/c

/a - does not match.
/a/b - does not match.
/a/b/c - matches

/a - does not match.
/a/b - does not match.
/a/b/c - matches if no case sensitive rule.

URI rule: /a/b
Example:/a/b
/a - does not match.
/a/b - matches.
/a - does not match.
/a/b matches if no case sensitive rule.

URI rule: /a
Example: /a

/a- matches.
/A - does not match.
/a/b - does not match.

/a - matches if no case sensitive match.
/A - matches.
/a/b does not match.

Default ("/") rule   Matches anything not matched by a prior rules.

By default /uri is a considered a prefix and matches any path starting with /uri.
By default /uri/ (ending with a trailing slash) is an exact match and only matches the exact URI string.

Additional examples, shown in order of precedence.

URI

Case sensitive

Comment

/a/b/c

Yes

Case sensitive has higher precedence then the same URI insentive.

/a/b/c

No

 

/a/f

Yes

Both marked case sensitive, same number of elements (two) sorted lexicographically.

 

/a/b

Yes

/a/e

No

Both marked case insensitive, same number of elements (two) sorted lexicographically, but after case sensitive two element rules.

 

 

/a/b

No

/a

No

 

In general, sorting order is determined by:

  1. Custom policies: Custom policies are evaluated first and within custom policies evaluated in order entered.
  2. Total number of elements in URI: For example /a/b/c has three elements split by "/" (forward slash) in resource path.
  3. Case sensitivity: Case sensitive policies sort above case insensitive policies with the same number of elements.
  4. Lexicographic order: Policies are then ordered alphabetically.

Policies and upgrade

Prior to Access Gateway v2021.1.0 all policies were treated as case sensitive. During upgrade, all policies are marked as case sensitive to reflect past behavior. New policies, added post upgrade, will default to case insensitive and will need to be explicitly marked case sensitive, if required.