Inconsistent encoding of forward slash by Web Policy Agent 3.3.0 causes Error 403 Access Denied
The purpose of this article is to provide assistance if you set Encode URL Special Characters to "true" but the forward slash (/) is not consistently encoded by Web Policy Agent 3.3.0, resulting in Access Denied error during policy evaluation.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown in the browser when attempting to access a policy agent protected resource:
Error 403 Access Denied/ForbiddenThe forward slash (/) is not consistently encoded in the URL when the Encode URL Special Characters property is set to "true". When there are other encoded special characters in the URL, the forward slash is also encoded, but if the forward slash is the only special character in the URL (one or more instances), it is not encoded.
Recent Changes
Upgraded to Web Policy Agents 3.3.0.
Enabled the Encode URL's Special Characters property (com.sun.identity.agents.config.encode.url.special.chars.enable=true).
Causes
Web Policy Agent incorrectly handles the way that trailing slashes are evaluated in un-encoded form, specifically URLs that contain unencoded parameter values for "uri=/".
The cause of this issue is related to OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL).
Solution
This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.
See Also
Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x
Related Training
N/A
Related Issue Tracker IDs
OPENAM-3638 (Policy rule with trailing wildcard denies access to a valid resource URL)