I’m having problems limiting what an impersonated session has access to in one of our environments. The problem, at a simplified level, is illustrated below. We have one top-level realm (/root) that is protected. Under this realm are numerous URLs – but how they are to be protected is not easily specified so multiple complex rules are required under a single realm.
Example URL: http://www.myapp.com/root*
For this example, there is one top level realm named “/root”. Under this realm are three rules.
‘/*’ - Get rule for /root/*
‘/google*’ - Get rule for /root/google/
‘ /bing*’ - Get rule for /root/bing/
There is a simple static redirect for /root/google/ to redirect to Google and for /root/bing/ to redirect to Bing.
For this test, I want to allow an Impersonated session access to only Google. I created two new rules as shown below. These rules were applied to the appropriate policies.
‘/google*’ - ImpersonateStart
‘/google*’ - ImpersonateStartUser
For my testing, an impersonator is redirected to Google; this works as expected.
PROBLEM: This same impersonated session is also able to access content for Bing and /root/* which should not be allowed. It seems that allowing impersonation on a more fine-grained rule is also allowing an impersonator access for the other rules This should not be allowed.
QUESTION: What am I doing wrong here?