Web Application Firewall

A web application firewall (WAF) or web shield is a firewall which protects web applications against attacks using the HTTP and HTTPS protocols. Combined with an Identity and Access Management (IAM) System, it also protects against unauthorized access and supports Single Sign-on (SSO).

Most WAF or IAM systems allow to configure a way how the user name of the identified user is transmitted to the web applications. With the Axon Ivy Engine a typical system landscape will look as follows:


digraph overview { layout=neato; node [shape=box, height="0.8", width="2", color="#007095", style=filled, fixedsize="true", margin=0, fontname="Roboto,Helvetica Neue,Arial,sans-serif", fontcolor="white", fontsize=15 ]; /* nodes */ browser [label="Browser", pos="0.0,3.0!", height="0.8", width="1.5"]; waf [label="Web\nApplication\nFirewall (WAF)", pos="3.5,3.0!", height="0.8", width="1.5"]; iam [label="Identity and\nAccess Management\n(IAM)", pos="3.5,1.5!", height="0.8", width="2.0"]; ad [label="Active\nDirectory" pos="3.5,0!" height=0.9 width=1.6]; engine [label="Axon Ivy\nEngine" pos="7,3!", height="0.8", width="1.5", color="#C7D426", fontcolor="black"]; /* edges */ browser -> waf; waf -> engine; engine -> ad; iam -> ad; waf -> iam; /* edge labels */ browser_waf [label="WAF_SESSION=X\n \n ", pos="1.75,3.0!", shape=none, fillcolor=none, fontcolor="black", fontsize="11"]; waf_engine [label="JSessionID=Y\n \nX-Forwarded-User=john", pos="5.20,3.0!", shape=none, fillcolor=none, fontcolor="black", fontsize="11"]; }


The only available access point has to be the WAF. Any traffic has to be routed via the WAF. The WAF tries to protect the web application behind it (e.g., Axon Ivy Engine) from attacks. The WAF uses the IAM to identify users and to protect certain resources from unauthorized access. The IAM itself may use a directory server like Microsoft Active Directory to authenticate users. The WAF can be configured to provide the name of the identified user either as HTTP header or HTTP cookie to the web application (Axon Ivy Engine).