Filter
Top Products
ProxySG Content Policy Language Guide
174
deny( )
Denies service.
Denial can be overridden by
allow or exception( ). To deny service in a way that cannot be
overridden by a subsequent
allow, use force_deny( ) or force_exception( ).
The relation between
authenticate( ) and deny( ) is controlled by the authenticate.force( )
property. By default, deny( ) overrides authenticate( ). Recall that this means that a transaction
can be denied before authentication occurs, resulting in no user indentification available for logging.
Similarly, the relation between socks.authenticate( ) and deny( ) is controlled by the
socks.authenticate.force( ) property. By default, deny( ) overrides
socks.authenticate( ).
Replaces:
service(no)
Syntax
deny
deny(details)
where details is a string defining a message to be displayed to the user. The details string may
contain CPL substitution variables.
Discussion
The
deny(details) property is equivalent to exception(policy_denied, details). The identity
of an exception being returned can be tested in an
<Exception> layer using exception.id=.
For HTTP, a
policy_denied exception results in a 403 Forbidden response. This is appropriate when
the denial does not depend on the user identity. When the denial does depend on user identity, use
deny.
unauthorized( ) instead to give the user an opportunity to retry the request with different
credentials.
Layer and Transaction Notes
•Use in
<Cache>, <Proxy>, and <Admin> layers. In <Forward> layers, use "access_server( )" on
page 155.
• Applies to all transactions.
Example
deny url.address=10.25.100.100
See Also
• Condition:
exception.id=
•Properties:
allow, authenticate.force( ), deny.unauthorized( ), force_deny( ),
never_refresh_before_expiry( ), never_serve_after_expiry( ), remove_IMS_from_GET(
)
, remove_PNC_from_GET( ), remove_reload_from_IE_GET( ), request.filter_service( ),
socks.authenticate( ), socks.authenticate.force( )