About application policy precedence

Access Gateway applications can have multiple policies. Each policy is associated with a URI, a rule type and other information. When a request is received for application with multiple policies, policies are evaluated in precedence order.

In general policies are evaluated in the following order:

  • Custom policy - Custom policies are evaluated first, in the order in which they were entered chronologically.  Earliest added to most recent.
  • Longest to shortest - For example /a/b/c is evaluated before /a/b.
  • For policies of the same length , case sensitive policies are evaluated before case insensitive policies.
  • Default policy, specified by '/' is applied.

The following are example policy URI and their behavior:

URI rule and example Case sensitive Case insensitive
Custom Evaluated before all other URIs policies.
Evaluated in order originally entered.
URI rule: /a/b/C
Example:/a/b/C		 /a - does not match.
/a/b - does not match.
/a/b/c - does not match.		 /a - does not match.
/a/b - does not match.
/a/b/c - matches if no case sensitive rule.
/a/b/C - matches

URI rule: /a/b/C
Example:/a/b/c

/a - does not match.
/a/b - does not match.
/a/b/c - matches

/a - does not match.
/a/b - does not match.
/a/b/c - matches if no case sensitive rule.
URI rule: /a/b
Example:/a/b		 /a - does not match.
/a/b - matches.		 /a - does not match.
/a/b matches if no case sensitive rule.

URI rule: /a
Example: /a

/a- matches.
/A - does not match.
/a/b - does not match.

/a - matches if no case sensitive match.
/A - matches.
/a/b does not match.
Default ("/") rule   Matches anything not matched by a prior rules.

Additional examples, shown in order of precedence.

URI

Case sensitive

Comment

/a/b/c

Yes

Case sensitive has higher precedence then the same URI insentive.

/a/b/c

No

 

/a/f

Yes

Both marked case sensitive, same number of elements (two) sorted lexicographically.

 

/a/b

Yes

/a/e

No

Both marked case insensitive, same number of elements (two) sorted lexicographically, but after case sensitive two element rules.

 

 

/a/b

No

/a

No

 

In general, sorting order is determined by:

  1. Custom policies: Custom policies are evaluated first and within custom policies evaluated in order entered.
  2. Total number of elements in URI: For example /a/b/c has three elements split by "/" (forward slash) in resource path.
  3. Case sensitivity: Case sensitive policies sort above case insensitive policies with the same number of elements.
  4. Lexicographic order: Policies are then ordered alphabetically.

Policies and upgrade

Prior to Access Gateway v2021.01.0 all policies were treated as case sensitive. During upgrade, all policies are marked as case sensitive to reflect past behavior. New policies, added post upgrade, will default to case insensitive and will need to be explicitly marked case sensitive, if required.