Solutions
Archived

Inconsistent encoding of forward slash by Web Policy Agent 3.3.0 causes Error 403 Access Denied

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you set Encode URL Special Characters to "true" but the forward slash (/) is not consistently encoded by Web Policy Agent 3.3.0, resulting in Access Denied error during policy evaluation.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown in the browser when attempting to access a policy agent protected resource:

Error 403 Access Denied/Forbidden

The forward slash (/) is not consistently encoded in the URL when the Encode URL Special Characters property is set to "true". When there are other encoded special characters in the URL, the forward slash is also encoded, but if the forward slash is the only special character in the URL (one or more instances), it is not encoded. 

Recent Changes

Upgraded to Web Policy Agents 3.3.0.

Enabled the Encode URL's Special Characters property (com.sun.identity.agents.config.encode.url.special.chars.enable=true).

Causes

Web Policy Agent incorrectly handles the way that trailing slashes are evaluated in un-encoded form, specifically URLs that contain unencoded parameter values for "uri=/".

The cause of this issue is related to OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL).

Solution

This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.

See Also

Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x

Trailing wildcard in policy rules causes policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0

Trailing forward slash removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0 which causes access denied error

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL)

OPENAM-3875 ('Encode URL's Special Characters' in Web Agent does not consistently encode the / charater)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.