Application policy precedence
Access Gateway apps can have multiple policies. Each policy is associated with a resource path containing a URI, a rule type, and other information. When a request is received for an app with multiple policies, policies are evaluated in precedence order.
In general, policies are evaluated in the following order:
- Custom policy: Custom policies are evaluated first, in the order in which they were entered chronologically. Processing starts at the first policy added to the most recent.
- Longest to shortest: /a/b/c is evaluated before /a/b.
- Trailing or no trailing slash: Resource paths ending with / (slash) are treated as an exact match. Resource paths not ending with / (slash) are treated as a prefix. For example, /rest matches /restaurant, but /rest/ doesn't.
- For policies of the same length, case-sensitive policies are evaluated before case-insensitive policies.
- The default policy, specified by '/' is applied.
In general, the sorting order follows these principles:
- Total number of elements in the URI: For example /a/b/c has three elements split by "/" (forward slash) in the resource path.
- Case sensitivity: Case-sensitive policies sort before case-insensitive policies with the same number of elements.
- Lexicographic order: Policies are then ordered alphabetically.
The following are examples of policy URIs and their behavior:
| URI rule and example | Case sensitive | Case insensitive |
|---|---|---|
| Custom | Evaluated before all other URIs policies. Evaluated in the order in which they were originally entered. This may include regular expressions in Resource Path. |
|
| URI rule: /a/b/C Example:/a/b/C |
/a: doesn't match.
/a/b: doesn't match. /a/b/c: doesn't match. |
/a: doesn't match. /a/b: doesn't match. /a/b/c: matches if there's no case-sensitive rule. /a/b/C: matches |
|
URI rule: /a/b/C |
/a: doesn't match. |
/a: doesn't match. |
| URI rule: /a/b Example:/a/b |
/a: doesn't match. /a/b: matches. |
/a: doesn't match. /a/b: matches if there's no case-sensitive rule. |
|
URI rule: /a |
/a: matches. |
/a: matches if there's no case-sensitive rule. |
| Default ("/") rule | Matches anything not matched by prior rules. | |
/uri is considered a prefix and matches any path starting with /uri. /uri/ (ending with a trailing slash) is an exact match and only matches the exact URI string.
These are more examples, shown in order of precedence.
|
URI |
Case sensitive |
Comment |
|---|---|---|
|
/a/b/c |
Yes |
Case-sensitive entries have higher precedence than the same URI that is case-insensitive. |
|
/a/b/c |
No |
|
|
/a/f |
Yes |
Both are marked as case-sensitive, and have the same number of elements (two) sorted lexicographically. |
|
/a/b |
Yes |
|
|
/a/e |
No |
Both are marked as case-insensitive, and have the same number of elements (two) sorted lexicographically, but after case-sensitive, there are two element rules. |
|
/a/b |
No |
|
|
/a |
No |