Ignore Extensions and Ignore URLs

These are the two parameters you would be tempted to set while configuring a SiteMinder policy server. The purpose is simple - "Ignore Extensions" will help you to bypass the authentication for the specified file extensions while the "Ignore URL" will make you to bypass authentication for the specified URL. If you put ASP as a value to the "Ignore Extension" parameter, the SiteMinder will not perform the authentication for any HTTP request for any ASP file sitting on the web server. In some cases, the scope of the server includes mutliple websites residing on the same server. Similarly, if you put a URL of a website into "Ignore URL" parameter, all documents within that website will become accessible over HTTP without any authentication.

Looking into these two parameters, my first impression was that these don't meet my practical requirements. As example, I have a website, which I need to keep fully secured so that all pages can be accessed after authentication through the SiteMinder. The only exception would be the login page, which I have designed and developed for the specific application. It means, I needed to open unauthenticated access to one ASP, one JS, one CSS, and a few GIFs. If I put all these as "Ignore Extensions", it would open the full site, literally.

Fortunately, SiteMinder treats the full URL (including directory and file name) as a URL. So, I could use the parameter "Ignore URL" to put the specific file access URLs to make to unprotected. Later, I moved all these files into one sub-directory called "Login" and replace the earlier URLs with a single one: http://myserver/Login/. As it appears now, the requirement has been met. This has been put into testing now, till then I am keeping my fingures crossed.