Inconsistent encoding of forward slash by Web Policy Agent 3.3.0 causes Error 403 Access Denied
The purpose of this article is to provide assistance if you set Encode URL Special Characters to "true" but the forward slash (/) is not consistently encoded by Web Policy Agent 3.3.0, resulting in Access Denied error during policy evaluation.
1 reader recommends this article
This article has been archived and is no longer maintained by ForgeRock.
The following error is shown in the browser when attempting to access a policy agent protected resource:Error 403 Access Denied/Forbidden
The forward slash (/) is not consistently encoded in the URL when the Encode URL Special Characters property is set to "true". When there are other encoded special characters in the URL, the forward slash is also encoded, but if the forward slash is the only special character in the URL (one or more instances), it is not encoded.
Upgraded to Web Policy Agents 3.3.0.
Enabled the Encode URL's Special Characters property (com.sun.identity.agents.config.encode.url.special.chars.enable=true).
Web Policy Agent incorrectly handles the way that trailing slashes are evaluated in un-encoded form, specifically URLs that contain unencoded parameter values for "uri=/".
The cause of this issue is related to OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL).
This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.
Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x
Trailing wildcard in policy rules causes policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0
Trailing forward slash removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0 which causes access denied error
Related Issue Tracker IDs
OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL)
OPENAM-3875 ('Encode URL's Special Characters' in Web Agent does not consistently encode the / charater)