Affects Version/s: 11.0.1
Fix Version/s: None
Support Ticket IDs:
Needs QA verification:No
Are the reproduction steps defined?:No (add reasons in the comment)
Test setup used:
Install OpenAM 11.0.1, embedded datastore, default configuration, apache agent for testing
- OpenAM host: openam.example.com:8080/openam
- Apache host: rock.example.com:80
Steps to reproduce:
1. Add subrealm 'SubRealm'
2. Add referral policy in root realm with no rules, refer to Subrealm
3. Attempt to access test URL: http://rock.example.com/jira/secure/foo?bar=lion?tiger
Forbidden page will be given (expected).
4. Restart OpenAM
5. Attempt to access test URL. This is the first unexpected behaviour. Agent will throw an internal server error, caused by this in OpenAM logs:
This is basically misconfiguration in OpenAM, but I think it is reasonable to expect slightly more graceful behaviour (i.e forbidden instead of error).
6. Now go into the root referral policy and add a rule to it for
7. Add policy in SubRealm to allow all authenticated users access to
8. Re-attempt to access test URL, should go through successfully (expected).
9. Now go add another rule to the root referral policy to allow:
10. Re-attempt to access test URL, should now give forbidden (unexpected).
11. Restart OpenAM.
12. Re-attempt to access test URL, should now go through (expected).