How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I define a list of Not Enforce URLs that Web Agents can ignore for authentication purposes in AM (All versions)?

Last updated Sep 22, 2021

The purpose of this article is to provide information on defining a list of Not Enforced URLs that Web Agents can ignore for authentication purposes in AM. You can specify to not enforce complete URLs or URL patterns by using wildcards in the URL, for example, http://example.com/*


1 reader recommends this article

Overview

The agent is always invoked, even when a URL is on the Not Enforced URL list, since the agent needs to determine whether the resource needs protecting or not; however, policy evaluation does not happen if a URL is on the Not Enforced URL list. Adding static content (such as graphics, images and CSS files) to the Not Enforced URL list can improve performance by reducing unnecessary processing.

You can see this happening in the agent debug log (when the debug level is set to All); the agent is invoked to determine if the resource needs protecting and matches the URL on the Not Enforced URL list. For example:

2016-08-16 20:33:53.504 Debug 65819:7f22ec000950 all: in_not_enforced_list(http://www.example.com/test/): matched 'http://www.example.com/test/' entry in not-enforced list 2016-08-16 20:33:53.504 Debug 65819:7f22ec000950 all: in_not_enforced_list: Allowing access to http://www.example.com/test/

Defining a list of Not Enforced URLs

You can define a list of Not Enforced URLs (if your Web Agent uses centralized configuration) using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Application > Not Enforced URLs and add the required URLs and/or URL patterns.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.url[0]=[URL]replacing [realmname], [agentname], [adminID], [passwordfile] and [URL] with appropriate values.

For localized configurations, you must edit the equivalent agent.conf file (located in the /path/to/web_agents/agent_version/instances/Agent_nnn/config directory) instead.

You can add as many URLs and/or URL patterns as required by adding multiple com.sun.identity.agents.config.notenforced.url [n] properties separated by a space and ensuring the [n] increments for each additional URL or URL pattern. For example:

$ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.url[0]=http://www.example.com/example/* com.sun.identity.agents.config.notenforced.url[1]=http://www.example.com/test/*

Wildcards do not match ?. You must explicitly add resource patterns to match URLs with query strings; specifying resource patterns is described in: Configuring Resource Types. You should also URL encode any spaces in the URL, replacing spaces with %20.

Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

How do I define a list of Not Enforce URIs that Java Agents can ignore for authentication purposes in AM (All versions)?

About Authorization and Policy Decisions

Not-Enforced URL and IP

Related Training

ForgeRock Access Management Core Concepts (AM-400)

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.