How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I define a list of Not Enforce URIs that Java Agents can ignore for authentication purposes in AM (All versions)?

Last updated Jan 11, 2023

The purpose of this article is to provide information on defining a list of Not Enforce URIs that Java Agents can ignore for authentication purposes in AM. You can specify to not enforce complete URIs or URI patterns by using wildcards in the URI, for example, /test/images/*.


1 reader recommends this article

Overview

The agent is always invoked, even when a URL is on the Not Enforced URI list, since the agent needs to determine whether the resource needs protecting or not; however, policy evaluation does not happen if a URL is on the Not Enforced URI list. Adding static content (such as graphics, images and CSS files) to the Not Enforced URL list can improve performance by reducing unnecessary processing.

Defining a list of Not Enforced URIs

You can define a list of Not Enforced URIs (if your Java Agent uses centralized configuration) using either the AM admin UI or ssoadm:

  • AM admin UI: navigate to: Realms > [Realm Name] > Applications > Agents > Java > [Agent ID] > Application > Not Enforced URIs and add the required URIs and/or URI patterns.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.uri[1]=[URI]replacing [realmname], [agentname], [adminID], [passwordfile] and [URI] with appropriate values.

For localized configurations , you must edit the AgentConfiguration.properties file (Java Agents 5.8 and later) or the OpenSSOAgentConfiguration.properties file (pre-5.8) instead. These files are located in the /path/to/java_agents/agent_type/agent_instance/ directory.

You can add as many URIs and/or URI patterns as required by adding multiple com.sun.identity.agents.config.notenforced.uri [n] properties separated by a space and ensuring the [n] increments for each additional URI or URI pattern. For example:

$ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.notenforced.uri[1]=http://www.example.com/example/* com.sun.identity.agents.config.notenforced.uri[2]=http://www.example.com/test/*

Wildcards do not match ?. You must explicitly add resource patterns to match URLs with query strings; specifying resource patterns is described in: Configuring Resource Types.

Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

How do I define a list of Not Enforce URLs that Web Agents can ignore for authentication purposes in AM (All versions)?

About Authorization and Policy Decisions

Not-enforced

Related Training

ForgeRock Access Management Deep Dive (AM-410)

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.