Trailing forward slash removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0 which causes access denied error
The purpose of this article is to provide assistance with the access denied error that occurs when attempting to access a policy agent protected resource. This error is caused by the trailing forward slash (/) being removed from policy rules in OpenAM 11.0.0 and Policy Agents 3.3.0.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown in the browser when attempting to access a policy agent protected resource:
Error 403 Access Denied/ForbiddenRecent Changes
Upgraded to OpenAM 11.0.0 and / or Policy Agents 3.3.0
Changed policy rules to include trailing forward slashes (/), for example, http://example.com:80/
Causes
The cause of this issue is a mismatch in how URL normalization is performed; OpenAM removes the trailing forward slash (due to changes in com.sun.identity.policy.plugins.URLResourceName.canonicalize()) but the policy agent does not; this means the policy agent no longer recognizes the URL when it is returned from OpenAM and therefore denies access even though the policy decision is allow.
For example, the incoming policy decision request from the policy agent includes / after UIDL in the URL:
<RequestSet vers="1.0" svcid="Policy" reqid="327"> <Request><![CDATA[ <PolicyService version="1.0"> <PolicyRequest requestId="69" appSSOToken="AQIC5wM2LY4SfcwZT4J5H6jgFaBKz2FRFnDmCICrSINAuRM.*AAJTSQACMDIAAlNLABMyOTk4MzkzMjQ5NzIxOTYyMDI0AAJTMQACMDM.*"> <GetResourceResults userSSOToken="AQIC5wM2LY4Sfcywb05HLbYlSTdVt2YirAsG1Pf7UPXn0fI.*AAJTSQACMDIAAlNLABM4NjU2NjYwNzQ1Mjc1NzM5MDQ2AAJTMQACMDM.*" serviceName="iPlanetAMWebAgentService" resourceName="http://admin.example.com:8080/test-console/UIDL/?v-ch=211&v-curdate=1386934087039&v-cw=1048&v-dstd=60&v-dston=false&v-loc=http%3A%2F%2Fadmin.example.com%2Ftest-console%2Fdo&v-rtzo=-60&v-sh=800&v-sw=1280&v-tzo=-60&v-uiId=2&v-vh=211&v-vw=1048&v-wn=testconsole-510602708-0.70830183327116&v-wsver=7.1.7" resourceScope="self">The outgoing policy decision response to the policy agent (from OpenAM) has removed the / after UIDL in the URL:
<ResponseSet vers="1.0" svcid="policy" reqid="327"> <Response><![CDATA[<PolicyService version="1.0" revisionNumber="60"> <PolicyResponse requestId="69" issueInstant="1386934140804" > <ResourceResult name="http://admin.example.com:8080/test-console/UIDL?v-ch=211&v-curdate=1386934087039&v-cw=1048&v-dstd=60&v-dston=false&v-loc=http%3A%2F%2Fpay-admin.example.com%2Fepay-console%2Fdo&v-rtzo=-60&v-sh=800&v-sw=1280&v-tzo=-60&v-uiId=2&v-vh=211&v-vw=1048&v-wn=epayconsole-510602708-0.70830183327116&v-wsver=7.1.7"> <PolicyDecision> <ResponseAttributes> </ResponseAttributes> <ActionDecision timeToLive="9223372036854775807"> <AttributeValuePair> <Attribute name="POST"/> <Value>allow</Value> </AttributeValuePair> ...Solution
This issue can be resolved by upgrading to OpenAM 11.0.1 or later, and Web Policy Agents 3.3.1 or later; you can download these from BackStage.
Both OpenAM and the policy agents now leave the forward trailing slash in place and recognize URLs with and without forward slashes as being different.
Alternatively, you can change your policy agents to use root or subtree mode as a workaround.
Caution
You should use this mode with caution as it may produce unexpected policy evaluation results depending on the specifics of your policies. This is a known issue: OPENAM-2085 (Unreliable policy evaluation results with com.sun.identity.agents.config.fetch.from.root.resource enabled)
Web Policy Agent
You can change your web policy agents to use root mode using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Access Control > [Realm Name] > Agents > Web > [Agent Name] > OpenAM Services > Policy Client Service > Fetch Policies from Root Resource and select the Enabled option.
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.fetch.from.root.resource=true replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.
Java EE Policy Agent
You can change your Java EE policy agents to use subtree mode using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Access Control > [Realm Name] > Agents > J2EE > [Agent Name] > OpenAM Services > Policy Client Service > Policy Client Cache Mode and select the subtree option.
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a property name: com.sun.identity.policy.client.cacheMode=subtree replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.
Note
You must restart the web application container in which OpenAM runs to apply these configuration changes.
See Also
Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x
Best practice for creating and testing policies in OpenAM 11.x
Best practice for migrating policies when upgrading to OpenAM 12.x or 13.x
Best practice for creating and testing policies in AM (All versions)
Related Training
N/A
Related Issue Tracker IDs
OPENAM-2969 (Basic policy to allow HTTP GET fails on root resource)
OPENAM-3614 (J2EE agents need to be brought inline with URL specs)