The Agent currently depends on Apache's PATH_INFO.
This is a long running source of issues.
Workarounds for related problems often include the changing of these parameters:
Despite limited understanding of what they do or what other issues this might lead to.
# IGNORE URL PATH
# When the not enforced list or policy has a wildcard '*' character, agent
# strips the path info from the request URI and uses the resulting request
# URI to check against the not enforced list or policy instead of the entire
# request URI, in order to prevent someone from getting access to any URI by
# simply appending the matching pattern in the policy or not enforced list.
# For example, if the not enforced list has the value http:# stripping the path info from the request URI will prevent someone from
# getting access to http:# However when a web server (for exmample apache) is configured to be a reverse
# proxy server for a J2EE application server, path info is interpreted in a different
# manner since it maps to a resource on the proxy instead of the app server.
# This prevents the not enforced list or policy from being applied to part of
# the URI below the app serverpath if there is a wildcard character. For example,
# if the not enforced list has value http:# request URL is http:# is /servcontext/example.jsp and the resulting request URL with path info stripped
# is http:# following property to true, the path info will not be stripped from the request URL
# even if there is a wild character in the not enforced list or policy.
# Be aware though that if this is set to true there should be nothing following the
# wildcard character '*' in the not enforced list or policy, or the
# security loophole described above may occur.
# Hot-Swap Enabled: Yes
com.sun.identity.agents.config.ignore.path.info = false
# IGNORE PATH INFO FOR NOT ENFORCED URLS
# Boolean attribute to indicate whether the path info and query should
# be stripped from the the request URL before being compared with the URLs
# of the not enforced list when those URLs have a wildcard '*' character.
# For security reason this property should be set to true in order to avoid
# situation like the following one: if
# com.sun.identity.agents.config.notenforced.url = http:# someone can access http:# http:#
# Default value is true.
com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list = true
In addition there are issues related to encoding of pathinfo resulting in changes in behaviour from 3.3.0 to 3.3.4/4.x (see linked support case).
Can the Agent be allowed to run in a way that means we can drop pathinfo altogether, at least for new installs? E.g. Use mod_proxy?