[Idea]: Add description about VIOL_ACCESS_UNAUTHORIZED on JWT protection docs

[0jsong]

What is your idea for improving documentation?

Hello, I've been testing F5 WAF for NGINX's JWT protection feature recently, and found out that VIOL_ACCESS_UNAUTHORIZED should be set under blocking-settings to validate JWT's claim via authorizationRules.

If VIOL_ACCESS_UNAUTHORIZED is not configured, it appears that the policy only validates the JWT itself and does not validate the values of the claims defined in authorizationRules, allowing the request to pass.

I think description about VIOL_ACCESS_UNAUTHORIZED should be added under these sections:
https://docs.nginx.com/waf/policies/jwt-protection

• Authorization rules in URLs
• Attack signatures
• JSON web token violations

Which product or products does this idea relate to?

F5 WAF for NGINX

Does this idea relate to other issues?

No response

Are there alternative ideas for improving the same topic?

No response

Any additional information

The following is a portion of the security log when VIOL_ACCESS_UNAUTHORIZED is set to block.

{
  "violations": [
    {
      "enforcementState": {
        "isBlocked": true,
        "isAlarmed": true,
        "isLearned": false,
        "attackType": [
          {
            "name": "Authentication/Authorization Attacks"
          }
        ]
      },
      "violation": {
        "name": "VIOL_ACCESS_UNAUTHORIZED"
      },
      "policyEntity": {
        "urls": [
          {
            "name": "/api/premium",
            "authorizationRules": [
              {
                "name": "subscription"
              }
            ]
          }
        ]
      },
      "observedEntity": {
        "claims": {
          "sub": "temp",
          "name": "John Doe",
          "role": "unknown",
          "iat": 1516239022,
          "exp": 1900000000
        }
      }
    }
  ]
}