In a scenario where you want to limit access to a web application, you may ask if and how UAG can help you to fulfill this requirement.
Generally, there are two locations where a URL constraint can be defined:
- In the Paths field in the Web Servers application properties
- In the URL Set
You may ask, why UAG maintains two configuration settings for the same requirement. The Paths entries are verified first. If the incoming URL is outside the scope of all paths entries, it is rejected. The default Paths is set to / so that all URLs on the web server are accessible. If you change / to /foobar/ only those URLs are accessible which are located underneath /foobar/.
Even if not enforced by the user interface, files and deep-links are not allowed in the Paths field. Those constraints have to go into the URL Set which is found in the trunk configuration.
By default, any character can follow the / after the hostname. If you want to constrain access to the default.aspx page for example, you have to change the Webserver_Rule1 to /default.aspx. In this case no other page would be allowed. If needed, more custom rules can be added to the URL list.
To summarize, only folder names must be added to the Paths while the URL Set allows far more granular URL inspection with higher CPU cost.