In 3.3.x a client accessing a not enforced URL does not generate an audit log.
In 4.0.0, the same request generates an audit event:
This could generate a lot of unwanted audit events on a site with heavy notenforced traffic, and particularly if this is post-upgrade from an existing 3.3.x - these events may be unexpected.
Steps to reproduce:
1) Setup OpenAM with a WPA configured to include a notenforced URL and audit logging turned on.
2) Access not enforced URL and check audit logs.