Currently policy agent supports either not enforced ip (including old wildcards, cidr and ip ranges) and/or not enforced url settings, in addition, when client ip address matches one of the not enforced ip setting, no further not enforced url evaluation is done.
Policy agent should support more detailed approach while evaluating not-enforced ip/url combination, for example, user should be able to specify not enforced ip (or range) only for a set of not enforced url (or list) - they would be evaluated only when client ip matches not enforced ip setting. If this (new) rule does not find a match an no other (generic) not enforced rule exists - requested url is sent for authentication or denied access.
New parameter syntax can be like this:
10.1.1.0/24 10.1.2.1-10.1.2.7|*/url1 */url2
where multiple ip values, left side of |, are separated by space
and multiple url values on a right side of |. Url values should support not only current wildcard spec., but also one coming with