How do I define a list of Not Enforce URIs that Java Agents can ignore for authentication purposes in AM (All versions)?
The purpose of this article is to provide information on defining a list of Not Enforce URIs that Java Agents can ignore for authentication purposes in AM. You can specify to not enforce complete URIs or URI patterns by using wildcards in the URI, for example, /test/images/*.
1 reader recommends this article
Overview
The agent is always invoked, even when a URL is on the Not Enforced URI list, since the agent needs to determine whether the resource needs protecting or not; however, policy evaluation does not happen if a URL is on the Not Enforced URI list. Adding static content (such as graphics, images and CSS files) to the Not Enforced URL list can improve performance by reducing unnecessary processing.
Defining a list of Not Enforced URIs
You can define a list of Not Enforced URIs (if your Java Agent uses centralized configuration) using either the AM admin UI or ssoadm:
- AM admin UI: navigate to: Realms > [Realm Name] > Applications > Agents > Java > [Agent ID] > Application > Not Enforced URIs and add the required URIs and/or URI patterns.
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.uri[1]=[URI]replacing [realmname], [agentname], [adminID], [passwordfile] and [URI] with appropriate values.
You can add as many URIs and/or URI patterns as required by adding multiple com.sun.identity.agents.config.notenforced.uri [n] properties separated by a space and ensuring the [n] increments for each additional URI or URI pattern. For example:
$ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.uri[1]=http://www.example.com/example/* com.sun.identity.agents.config.notenforced.uri[2]=http://www.example.com/test/*Wildcards do not match ?. You must explicitly add resource patterns to match URLs with query strings; specifying resource patterns is described in: Configuring Resource Types.
Note
You must restart the web application container in which AM runs to apply these configuration changes.
See Also
About Authorization and Policy Decisions
Related Training
ForgeRock Access Management Deep Dive (AM-410)
Related Issue Tracker IDs
N/A