Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-3665

Java Agent does not handle wildcard in protocol for NEU rule

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 5.7.0
    • Fix Version/s: 5.7.1, 5.8.0
    • Component/s: Java Agents
    • Environment:
      Version: 5.7.0-RC3
      Build Date: 2020-07-22 12:42:28
      Build Revision: a6eeeac4bf74fc30895d305987405eba870208ac

      Description

      Java Agent does not handle wildcard in protocol for NEU rule. Java agents should handle it with the same login with Web Agent and policies uses.

      Steps to reproduce

      1.) Set Not Enforced URL rule with wildcard in protocol

       *://jpa.pentest.forgeops.com:80/web/

      2.) Access the page which match the rule:

      http://jpa.pentest.forgeops.com:80/web/
      or
      https://jpa.pentest.forgeops.com:443/web/

      Expected result

      See the page without login

      Observed result

      Redirected to AM for login

      debug logs:

      -----------------------------------------------------------------
      AmFilter.isAccessAllowed: GET http://jpa.pentest.forgeops.com/web/
      AmFilterMode for application DefaultWebApp is URL_POLICY
      AmFilter processing XSS Detection Task Handler
      AmFilter processing AuthnFragmentRelayTaskHandler
      AmFilter processing AuthnExchangeTaskHandler
      AmFilter processing Notification Task Handler
      AmFilter processing FQDN Task Handler
      AmFilter processing Application Logout Handler
      AmFilter processing NotEnforcedTaskHandler
      NotEnforcedTaskHandler.process: reworked URL http://jpa.pentest.forgeops.com:80/web/
      >2020-08-07 10:44:35:214 UTC: http-nio-80-exec-3/5/main
      INFO: NotEnforcedRuleHelper.isAuthNRequest: requestURI: http://jpa.pentest.forgeops.com:80/web/; AuthNRedirectURI is /agentapp/post-authn-redirect; result is false
      NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico url: http://jpa.pentest.forgeops.com:80/web/ gave: false
      NotEnforcedRulePatternMatcher: classic pattern: */favicon.ico?* url: http://jpa.pentest.forgeops.com:80/web/ gave: false
      NotEnforcedRuleHelper.isNotEnforced(http://jpa.pentest.forgeops.com:80/web/, 10.16.0.11, GET) search took 0 milliseconds
      NotEnforcedRuleHelper.isNotEnforced(http://jpa.pentest.forgeops.com:80/web/, 10.16.0.11, GET) search took 0 milliseconds, no match
      NotEnforcedRulePatternMatcher: classic pattern: *://jpa.pentest.forgeops.com:80/web/ url: http://jpa.pentest.forgeops.com:80/web/ gave: false
      NotEnforcedRuleHelper.isNotEnforced(http://jpa.pentest.forgeops.com:80/web/, 10.16.0.11, GET) search took 0 milliseconds
      NotEnforcedRuleHelper.isNotEnforced(http://jpa.pentest.forgeops.com:80/web/, 10.16.0.11, GET) search took 0 milliseconds, no match
      NotEnforcedRuleHelper.isNotEnforced(http://jpa.pentest.forgeops.com:80/web/, 10.16.0.11, GET) FAILED to find a match
      NotEnforcedTaskHandler: Request URI http://jpa.pentest.forgeops.com:80/web/ not found in any lists, so is enforced
       

      Workaround

      1.) Use 2 separated rules

      http://jpa.pentest.forgeops.com:80/web/
      https://jpa.pentest.forgeops.com:443/web/

      2.) Use regex

      REGEX https?://jpa.pentest.forgeops.com:80/web/ 

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tony.bamford Tony Bamford
              Reporter:
              richard.hruza Richard Hruza
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: