Brute Force Protection Configuration, Access Validation match sucessfull logons with Location Header, Syntax ?
I have a problem with ASM in the Brute Force Protection Configuration, Access Validation match sucessfull logons. The response of the logon page is only a redirect ( no further content ), here in case of a failed logon
HTTP/1.1 302 Found
Date: Wed, 06 Aug 2014 14:14:11 GMT
P3P: CP="NOI DSP COR NID CURa OUR NOR OTC"
Location: https://servername/shop/viewUserHome.do
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
in case of a successfull logon the redirect location can be one of the following
Location: https://servername/shop/initiateOrder.do
Location: https://servername/shop/viewUserHome.do
Because the same server/application works with muliple hostnames ( named based virtual hosting) the same logon uri is used and therefore the servername can change, reason why i tried wildcards.
In the Brute Force Protection Configuration i defined in Access Violation to match sucessfull logons
Expected HTTP response status code
-> 302
Expected validation header name and value (for example, Location header), here i tried
-> Location: .*viewUserHome\.do|Location: .*initiateOrder\.do
-> Location: */shop/viewUserHome.do
also for tests
-> Location: https://servername/shop/viewUserHome.do
In no case the validation header matches and the "Maximum login attempts exceeded" is generated.
Does somebody knows correct syntax for the Expected validation header name and value field ? Are wildcards possible ? or regex ?