Trailing wildcard in policy rules causes policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you are experiencing policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0 when you have policy rules with trailing wildcards. Policy rules with trailing wildcards are matched incorrectly, which causes access denied errors (Error 403 Access Denied/Forbidden).

1 reader recommends this article


This article has been archived and is no longer maintained by ForgeRock.


The following error is shown in the browser when attempting to access a policy agent protected resource:

Error 403 Access Denied/Forbidden

Recent Changes

Upgraded to OpenAM 11.0.0 and / or Policy Agents 3.3.0

Changed policy rules to include trailing wildcards in resource URLS, for example,


The policy agent normalizes the URL by removing the trailing wildcard, but in doing so means the URL no longer matches the policy rule.

Additionally, wildcards are matched differently depending on whether they are after a forward slash or not; usually they match zero or more characters, but after a forward slash, they match one or more characters.


This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.

Both OpenAM and the policy agents now leave the trailing wildcard in place and always match it to zero or more characters, regardless of whether it follows a forward slash or not.

See Also

Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x

Trailing forward slash removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0 which causes access denied error

OpenAM 11.0.1 Release Notes › OpenAM Changes and Deprecated Functionality › Important Changes to Existing Functionality

OpenAM Web Policy Agent 3.3.1 Release Notes › Web Policy Agents 3.3.1 › Important Changes to Web Policy Agent Functionality

Related Training


Related Issue Tracker IDs

OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL)

OPENAM-3649 (WPA removes a trailing '?' from a resource URL being evaluated)

OPENAM-3650 (JPA removes a trailing '?' from a resource URL being evaluated)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.