This article has been archived and is no longer maintained by ForgeRock.
The following error is shown in the browser when attempting to access a policy agent protected resource:Error 403 Access Denied/Forbidden
Upgraded to OpenAM 11.0.0 and / or Policy Agents 3.3.0
Changed policy rules to include trailing wildcards in resource URLS, for example, http://fqdn.example.com:80/context?
The policy agent normalizes the URL by removing the trailing wildcard, but in doing so means the URL no longer matches the policy rule.
Additionally, wildcards are matched differently depending on whether they are after a forward slash or not; usually they match zero or more characters, but after a forward slash, they match one or more characters.
This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.
Both OpenAM and the policy agents now leave the trailing wildcard in place and always match it to zero or more characters, regardless of whether it follows a forward slash or not.