Trailing wildcard in policy rules causes policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0

Symptoms

The following error is shown in the browser when attempting to access a policy agent protected resource:

Recent Changes

Upgraded to OpenAM 11.0.0 and / or Policy Agents 3.3.0

Changed policy rules to include trailing wildcards in resource URLS, for example, http://fqdn.example.com:80/context?

Causes

The policy agent normalizes the URL by removing the trailing wildcard, but in doing so means the URL no longer matches the policy rule.

Additionally, wildcards are matched differently depending on whether they are after a forward slash or not; usually they match zero or more characters, but after a forward slash, they match one or more characters.

Solution

This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.

Both OpenAM and the policy agents now leave the trailing wildcard in place and always match it to zero or more characters, regardless of whether it follows a forward slash or not.

See Also

Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x

Trailing forward slash removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0 which causes access denied error

OpenAM 11.0.1 Release Notes › OpenAM Changes and Deprecated Functionality › Important Changes to Existing Functionality

OpenAM Web Policy Agent 3.3.1 Release Notes › Web Policy Agents 3.3.1 › Important Changes to Web Policy Agent Functionality

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL)

OPENAM-3649 (WPA removes a trailing '?' from a resource URL being evaluated)

OPENAM-3650 (JPA removes a trailing '?' from a resource URL being evaluated)