Unreliable policy evaluation results when using root or subtree mode in OpenAM 13.x
The purpose of this article is to provide assistance if your policies are not always correctly evaluated when using root or subtree mode in OpenAM. For example, policy rules that should allow access to policy agent protected resources are denied.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
Policy rules that should allow access to policy agent protected resources are denied.
Recent Changes
N/A
Causes
When using root or subtree mode, the policy agent requests all policy decisions from OpenAM and then performs some local policy processing. URLs are broken down into their component parts and each part is evaluated looking for possible matches. This approach can cause unexpected results when evaluating policy rules, particularly if they contain wildcards.
The non-root or self mode is simpler and the policy agent requests a single match for the complete URL from OpenAM and does not perform any additional local policy processing. This mode is the default and results in fewer evaluations being performed.
Note
The difference between root and subtree modes is terminology for policy agents; web policy agents use root or non-root mode and Java EE policy agents use subtree or self mode.
Solution
This issue can be resolved by changing your policy agents to use non-root or self mode.
Web Policy Agent
You can change your web policy agents using either the OpenAM console or ssoadm:
- Console: navigate to: Realms > [Realm Name] > Agents > Web > [Agent Name] > OpenAM Services > Policy Client Service > Fetch Policies from Root Resource and deselect the Enabled option.
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.fetch.from.root.resource=false replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.
Java EE Policy Agent
You can change your Java EE policy agents using either the OpenAM console or ssoadm:
- Console: navigate to: Realms > [Realm Name] > Agents > J2EE > [Agent Name] > OpenAM Services > Policy Client Service > Policy Client Cache Mode and select the self option.
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.policy.client.cacheMode=self replacing [realmname], [agentname], [adminID] and [passwordfile] with appropriate values.
Note
You must restart the web application container in which OpenAM runs to apply these configuration changes.
See Also
Best practice for creating and testing policies in AM (All versions)
Related Training
N/A