Affects Version/s: 3.3.4, 4.0.0
Steps to reproduce
1) Setup OpenAM with Web Agent (3.3.x or 4.0.x)
2) Add a simple all users policy to allow access to everything, e.g "http://www.example.com/*"
3) Attempt to access http://www.example.com/test%23test
Access is denied
Access is allowed
Adding a rule for www.example.com/test#test or # works, but this is not a good workaround because the file could include many encoded # characters and each variation of this would require it's own rule.
I think the two key points are:
In OpenAM the wildcard character stops at a literal # character (much like ?).
The Agent decodes the %23 before sending it for evaluation to OpenAM.