Solutions
Archived

Trailing forward slash removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0 which causes access denied error

Last updated Jan 5, 2021

The purpose of this article is to provide assistance with the access denied error that occurs when attempting to access a policy agent protected resource. This error is caused by the trailing forward slash (/) being removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown in the browser when attempting to access a policy agent protected resource:

Error 403 Access Denied/Forbidden

Recent Changes

Upgraded to OpenAM 11.0.0 and / or Policy Agents 3.3.0

Changed policy rules to include trailing forward slashes (/), for example, http://example.com:80/

Causes

The cause of this issue is a mismatch in how URL normalization is performed; OpenAM removes the trailing forward slash (due to changes in com.sun.identity.policy.plugins.URLResourceName.canonicalize()) but the policy agent does not; this means the policy agent no longer recognizes the URL when it is returned from OpenAM and therefore denies access even though the policy decision is allow.

For example, the incoming policy decision request from the policy agent includes / after UIDL in the URL: 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <RequestSet vers="1.0" svcid="Policy" reqid="327"> <Request><![CDATA[ <PolicyService version="1.0"> <PolicyRequest requestId="69" appSSOToken="AQIC5wM2LY4SfcwZT4J5H6jgFaBKz2FRFnDmCICrSINAuRM.*AAJTSQACMDIAAlNLABMyOTk4MzkzMjQ5NzIxOTYyMDI0AAJTMQACMDM.*"> <GetResourceResults userSSOToken="AQIC5wM2LY4Sfcywb05HLbYlSTdVt2YirAsG1Pf7UPXn0fI.*AAJTSQACMDIAAlNLABM4NjU2NjYwNzQ1Mjc1NzM5MDQ2AAJTMQACMDM.*" serviceName="iPlanetAMWebAgentService" resourceName="http://admin.example.com:8080/test-console/UIDL/?v-ch=211&amp;v-curdate=1386934087039&amp;v-cw=1048&amp;v-dstd=60&amp;v-dston=false&amp;v-loc=http%3A%2F%2Fadmin.example.com%2Ftest-console%2Fdo&amp;v-rtzo=-60&amp;v-sh=800&amp;v-sw=1280&amp;v-tzo=-60&amp;v-uiId=2&amp;v-vh=211&amp;v-vw=1048&amp;v-wn=testconsole-510602708-0.70830183327116&amp;v-wsver=7.1.7" resourceScope="self">

The outgoing policy decision response to the policy agent (from OpenAM) has removed the / after UIDL in the URL:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ResponseSet vers="1.0" svcid="policy" reqid="327"> <Response><![CDATA[<PolicyService version="1.0" revisionNumber="60"> <PolicyResponse requestId="69" issueInstant="1386934140804" > <ResourceResult name="http://admin.example.com:8080/test-console/UIDL?v-ch=211&amp;v-curdate=1386934087039&amp;v-cw=1048&amp;v-dstd=60&amp;v-dston=false&amp;v-loc=http%3A%2F%2Fpay-admin.example.com%2Fepay-console%2Fdo&amp;v-rtzo=-60&amp;v-sh=800&amp;v-sw=1280&amp;v-tzo=-60&amp;v-uiId=2&amp;v-vh=211&amp;v-vw=1048&amp;v-wn=epayconsole-510602708-0.70830183327116&amp;v-wsver=7.1.7"> <PolicyDecision> <ResponseAttributes> </ResponseAttributes> <ActionDecision timeToLive="9223372036854775807"> <AttributeValuePair> <Attribute name="POST"/> <Value>allow</Value> </AttributeValuePair> ...

Solution

This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.

Both OpenAM and the policy agents now leave the forward trailing slash in place and recognize URLs with and without forward slashes as being different.

Alternatively, you can change your policy agents to use root or subtree mode as a workaround.

Caution

You should use this mode with caution as it may produce unexpected policy evaluation results depending on the specifics of your policies. This is a known issue: OPENAM-2085 (Unreliable policy evaluation results with com.sun.identity.agents.config.fetch.from.root.resource enabled)

Web Policy Agent

You can change your web policy agents to use root mode using either the OpenAM console or ssoadm:

  • OpenAM console: navigate to: Access Control > [Realm Name] > Agents > Web > [Agent Name] > OpenAM Services > Policy Client Service > Fetch Policies from Root Resource and select the Enabled option.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.fetch.from.root.resource=true replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

Java EE Policy Agent

You can change your Java EE policy agents to use subtree mode using either the OpenAM console or ssoadm:

  • OpenAM console: navigate to: Access Control > [Realm Name] > Agents > J2EE > [Agent Name] > OpenAM Services > Policy Client Service > Policy Client Cache Mode and select the subtree option.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a property name: com.sun.identity.policy.client.cacheMode=subtree replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.
Note

You must restart the web application container in which OpenAM runs to apply these configuration changes.

See Also

Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x

Trailing wildcard in policy rules causes policy matching issues in OpenAM 11.0.0 and Policy Agents 3.3.0

Best practice for creating and testing policies in OpenAM 11.x

Best practice for migrating policies when upgrading to OpenAM 12.x or 13.x

Best practice for creating and testing policies in AM (All versions)

OpenAM 11.0.1 Release Notes › OpenAM Changes & Deprecated Functionality › Important Changes to Existing Functionality

OpenAM Web Policy Agent 3.3.1 Release Notes › Web Policy Agents 3.3.1 › Important Changes to Web Policy Agent Functionality

Related Training

N/A

Related Issue Tracker IDs

OPENAM-2969 (Basic policy to allow HTTP GET fails on root resource)

OPENAM-3509 (PolicyEvaluation strips off trailing '/' from resource resulting in wrong enforcement on agent side)

OPENAM-3614 (J2EE agents need to be brought inline with URL specs)

OPENAM-3615 (Policy evaluation is moving towards the URL spec and no longer ignoring trailing slashes)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.