Application policy precedence

Access Gateway apps can have multiple policies. Each policy is associated with a resource path containing a URI, a rule type, and other information. When a request is received for an app with multiple policies, policies are evaluated in precedence order.

In general, policies are evaluated in the following order:

  • Custom policy: Custom policies are evaluated first, in the order in which they were entered chronologically. Processing starts at the first policy added to the most recent.
  • Longest to shortest: /a/b/c is evaluated before /a/b.
  • Trailing or no trailing slash: Resource paths ending with / (slash) are treated as an exact match. Resource paths not ending with / (slash) are treated as a prefix. For example, /rest matches /restaurant, but /rest/ doesn't.
  • For policies of the same length, case-sensitive policies are evaluated before case-insensitive policies.
  • The default policy, specified by '/' is applied.

In general, the sorting order follows these principles:

  1. Total number of elements in the URI: For example /a/b/c has three elements split by "/" (forward slash) in the resource path.
  2. Case sensitivity: Case-sensitive policies sort before case-insensitive policies with the same number of elements.
  3. Lexicographic order: Policies are then ordered alphabetically.

The following are examples of policy URIs and their behavior:

URI rule and example Case sensitive Case insensitive
Custom Evaluated before all other URIs policies.
Evaluated in the order in which they were originally entered.
This may include regular expressions in Resource Path.
URI rule: /a/b/C
Example:/a/b/C		 /a: doesn't match.
/a/b: doesn't match.
/a/b/c: doesn't match.		 /a: doesn't match.
/a/b: doesn't match.
/a/b/c: matches if there's no case-sensitive rule.
/a/b/C: matches

URI rule: /a/b/C
Example:/a/b/c

/a: doesn't match.
/a/b: doesn't match.
/a/b/c: matches

/a: doesn't match.
/a/b: doesn't match.
/a/b/c: matches if there's no case-sensitive rule.
URI rule: /a/b
Example:/a/b		 /a: doesn't match.
/a/b: matches.		 /a: doesn't match.
/a/b: matches if there's no case-sensitive rule.

URI rule: /a
Example: /a

/a: matches.
/A: doesn't match.
/a/b: doesn't match.

/a: matches if there's no case-sensitive rule.
/A: matches.
/a/b: doesn't match.
Default ("/") rule Matches anything not matched by prior rules.

/uri is considered a prefix and matches any path starting with /uri. /uri/ (ending with a trailing slash) is an exact match and only matches the exact URI string.

These are more examples, shown in order of precedence.

URI

Case sensitive

Comment

/a/b/c

Yes

 Case-sensitive entries have higher precedence than the same URI that is case-insensitive.

/a/b/c

No

/a/f

Yes

 Both are marked as case-sensitive, and have the same number of elements (two) sorted lexicographically.

/a/b

Yes

/a/e

No

 Both are marked as case-insensitive, and have the same number of elements (two) sorted lexicographically, but after case-sensitive, there are two element rules.

/a/b

No

/a

No