Web Application Firewall
A web application firewall (WAF) or web shield is a firewall which protects web applications against attacks over the HTTP protocol. Combined with an Identity and Access Management (IAM) System it also protects against unauthorized access and supports Single Sign-on (SSO).
Most WAF or IAM systems allow to configure a way how the user name of the identified user is transmitted to the web applications. With Axon Ivy Engine a typical system landscape will look like this:
![digraph overview {
browser [label="Browser" pos = "0,3!" width=1];
waf [label="Web Application\nFirewall (WAF)" pos = "3.5,3!" width=1.6];
iam [label="Identity and\nAccess Mgmt.\n(IAM)" pos = "3.5,1.5!" height=1.1 width=1.6];
ad [label="Active\nDirectory" pos="3.5,0!" height=0.9 width=1.6];
engine [label="Axon Ivy\nEngine" pos="7,3!" width="1.5" color="#C7D426" fontcolor="black"];
browser -> waf [label="WAF_SESSION=X" fontsize=10];
waf -> engine [label="JSessionID=Y\nX-Forwarded-User=john" fontsize=10];
engine -> ad;
iam -> ad;
waf -> iam;
}](../../../../_images/graphviz-1baafbdea992d1f63be569257955928fd7dab06a.png)
The only available access point must be the WAF. Any traffic has to be routed over it. The WAF tries to protect the web application behind it (e.g. Axon Ivy Engine) from attacks. The WAF uses the IAM to identify users and to protect certain resources from unauthorized access. The IAM itself may use a directory server like Microsoft Active Directory to know users. The WAF can be configured to provide the name of the identified user either as HTTP header or HTTP cookie to the web application (Axon Ivy Engine).