ProxySG Content Policy Language Guide
deny( )
Denies service.
Denial can be overridden by allow or exception( ). To deny service in a way that cannot be overridden by a subsequent allow, use force_deny( ) or force_exception( ).
The relation between authenticate( ) and deny( ) is controlled by the authenticate.force( ) property. By default, deny( ) overrides authenticate( ). Recall that this means that a transaction can be denied before authentication occurs, resulting in no user indentification available for logging.
Similarly, the relation between socks.authenticate( ) and deny( ) is controlled by the socks.authenticate.force( ) property. By default, deny( ) overrides socks.authenticate( ).
Replaces: service(no)
Syntax
deny
deny(details)
where details is a string defining a message to be displayed to the user. The details string may contain CPL substitution variables.
Discussion
The deny(details) property is equivalent to exception(policy_denied, details). The identity of an exception being returned can be tested in an <Exception> layer using exception.id=.
For HTTP, a policy_denied exception results in a 403 Forbidden response. This is appropriate when the denial does not depend on the user identity. When the denial does depend on user identity, use deny.unauthorized( ) instead to give the user an opportunity to retry the request with different credentials.
Layer and Transaction Notes
•Use in <Cache>, <Proxy>, and <Admin> layers. In <Forward> layers, use "access_server( )" on page 155.
•Applies to all transactions.
Example
deny url.address=10.25.100.100
See Also
•Condition: exception.id=
•Properties: allow, authenticate.force( ), deny.unauthorized( ), force_deny( ),
never_refresh_before_expiry( ), never_serve_after_expiry( ), remove_IMS_from_GET( ), remove_PNC_from_GET( ), remove_reload_from_IE_GET( ), request.filter_service( ), socks.authenticate( ), socks.authenticate.force( )
174
