Solutions
Archived

Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if your policies are not always correctly evaluated when using root or subtree mode in OpenAM. For example, policy rules that should allow access to policy agent protected resources are denied.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

Policy rules that should allow access to policy agent protected resources are denied.

Recent Changes

N/A

Causes

When using root or subtree mode, the policy agent requests all policy decisions from OpenAM and then performs some local policy processing. URLs are broken down into their component parts and each part is evaluated looking for possible matches. This approach can cause unexpected results when evaluating policy rules, particularly if they contain wildcards.

The non-root or self mode is simpler and the policy agent requests a single match for the complete URL from OpenAM and does not perform any additional local policy processing. This mode is the default and results in fewer evaluations being performed.

Note

The difference between root and subtree modes is terminology for policy agents; web policy agents use root or non-root mode and Java EE policy agents use subtree or self mode.

Solution

This issue can be resolved by changing your policy agents to use non-root or self mode.

Web Policy Agent

You can change your web policy agents using either the OpenAM console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Agents > Web > [Agent Name] > OpenAM Services > Policy Client Service > Fetch Policies from Root Resource and deselect the Enabled option.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.fetch.from.root.resource=false replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.

Java EE Policy Agent

You can change your Java EE policy agents using either the OpenAM console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Agents > J2EE > [Agent Name] > OpenAM Services > Policy Client Service > Policy Client Cache Mode and select the self option.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.policy.client.cacheMode=self replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.
Note

You must restart the web application container in which OpenAM runs to apply these configuration changes. 

See Also

Best practice for creating and testing policies in AM (All versions)

Related Training

N/A

Related Issue Tracker IDs

OPENAM-2085 (Unreliable policy evaluation results with com.sun.identity.agents.config.fetch.from.root.resource enabled)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.