Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12338

policies?_action=evaluate checks all policy sets



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1
    • 13.5.3, 14.1.2,, 6.5.0, 6.0.1, 5.5.2
    • policy
    • AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51
    • 3
    • Yes


      Bug description

      policies?_action=evaluate appears to check all policy sets even though application is set in the request. Should application be a required field if AM is checking all of them regardless?

      How to reproduce the issue

      1. Create two policy sets, each protecting a different resource e.g. Pattern1 and Pattern2
      2. Set one policy set to require AuthLevel 1 and the other to AuthLevel 2
      3. Evaluate application PolicyA and PolicyB with the wrong resource (if Pattern1 is a resource protected in PolicyA, put it in the request with PolicyB for example)
      4. AuthLevelConditionAdvice in the response indicates the resource is protected by the application not defined in the request 
      Expected behaviour
      Not sure but if we are evaluating a particular application / policy set, and the resource we are evaluating is not found, I don't think AM should return advice for another application / policy set where the resource is found.
      Current behaviour
      Returns advice for application / policy set not defined in the request



          Issue Links



              lawrence.yarham Lawrence Yarham
              aaron.haskins Aaron Haskins
              0 Vote for this issue
              9 Start watching this issue