Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4518

Wildcard in protocol for policy does not work

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.0.0, 14.0.0, 14.1.0
    • Fix Version/s: None
    • Component/s: policy, rest
    • Environment:
      Centos 6.5 64-bit / JDK 1.6.0_45 / Tomcat 6.0.37 / OpenAM 12.0.0-SNAPSHOT Build 10592 (2014-September-21 01:18)
    • Support Ticket IDs:

      Description

      Steps to reproduce:
      1.) Create a policy "*://example.com:80/index.html"

      curl --request POST --header "iPlanetDirectoryPro: <ADMIN TOKEN>" --header "Content-Type: application/json" --data '{ "resources": ["*://example.com:80/index.html"], "name": "testREST", "subject": {"type": "AnyUser"}, "active": true, "actionValues": {"GET": true, "POST": false} }' "http://perf-openam.internal.forgerock.com:8080/openam/json/policies/?_action=create&_prettyPrint=true"
      {
        "name" : "testREST",
        "active" : true,
        "resources" : [ "*://example.com:80/index.html" ],
        "applicationName" : "iPlanetAMWebAgentService",
        "actionValues" : {
          "POST" : false,
          "GET" : true
        },
        "subject" : {
          "type" : "AnyUser"
        },
        "lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
        "lastModified" : "2014-09-22T14:11:23Z",
        "createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
        "creationDate" : "2014-09-22T14:11:23Z"
      }
      

      2. Evaluate resource "http://example.com:80/index.html"

      curl -X POST -H "iPlanetDirectoryPro: <ADMIN TOKEN>" -H "Content-Type: application/json" --data '{"resources": [ "http://example.com:80/index.html"], "application": "iPlanetAMWebAgentService", "subject": "<USER TOKEN>" }' "http://perf-openam.internal.forgerock.com:8080/openam/json/policies/?_action=evaluate&_prettyPrint=true"
      

      Observed result: deny

      [ {
        "resource" : "http://example.com:80/index.html",
        "actions" : {
        },
        "attributes" : {
        },
        "advices" : {
        }
      } ]
      

      Expected result: allow

      [ {
        "resource" : "http://example.com:80/index.html",
        "actions" : {
          "POST" : false,
          "GET" : true
        },
        "attributes" : {
        },
        "advices" : {
        }
      } ]
      

      Seems policy for mach was founded base on Policy debug log

      amPolicy:09/22/2014 03:21:48:928 PM BST: Thread[http-8080-24,5,main]
      Rendering policy request for action evaluate
      amPolicy:09/22/2014 03:21:48:929 PM BST: Thread[http-8080-24,5,main]
      Evaluating policy request for action evaluate under realm / within the application context iPlanetAMWebAgentService
      amEntitlements:09/22/2014 03:21:48:931 PM BST: Thread[http-8080-24,5,main]
      Matched index rules (resource:http://example.com:80/index.html, realm:/): [*://example.com:80/index.html]
      
      

      I have observed one more strange thing, if I set policy to

      *://example.com:*/index.html
      

      (put wildcard instead of port) and I hit the same page I am getting expected result (allow).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                richard.hruza Richard Hruza
                QA Assignee:
                Richard Hruza
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: