Trailing wildcard in policy rules causes policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0
The purpose of this article is to provide assistance if you are experiencing policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0 when you have policy rules with trailing wildcards. Policy rules with trailing wildcards are matched incorrectly, which causes access denied errors (Error 403 Access Denied/Forbidden).
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown in the browser when attempting to access a policy agent protected resource:
Error 403 Access Denied/ForbiddenRecent Changes
Upgraded to OpenAM 11.0.0 and / or Policy Agents 3.3.0
Changed policy rules to include trailing wildcards in resource URLS, for example, http://fqdn.example.com:80/context?
Causes
The policy agent normalizes the URL by removing the trailing wildcard, but in doing so means the URL no longer matches the policy rule.
Additionally, wildcards are matched differently depending on whether they are after a forward slash or not; usually they match zero or more characters, but after a forward slash, they match one or more characters.
Solution
This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.
Both OpenAM and the policy agents now leave the trailing wildcard in place and always match it to zero or more characters, regardless of whether it follows a forward slash or not.
See Also
Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x
Related Training
N/A
Related Issue Tracker IDs
OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL)
OPENAM-3649 (WPA removes a trailing '?' from a resource URL being evaluated)
OPENAM-3650 (JPA removes a trailing '?' from a resource URL being evaluated)