Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0
Policies with Subject exclusive enabled are lost on not upgrade to later version (not migrated properly). For example create
- Simple URL Policy with Subject with group g0 (for http*://:/g0) with GET/POST allow
- Simple URL Policy with Subject with group g0 as above but with exclusive set (for http*://:/notg0)
- Populate Group g0 with user u0 and have a user u1 not in g0
- Login as u0.
On OpenAM11 (expected) and must be so on AM12.0.3/13/13.5 (upgraded)
- u0 can access http://*:*/g0
- u0 cannot access http://*:*/notg0 (Forbidden)
- u1 can access http://*:*/notg0
On Upgraded 12/13/13.5
The reason being the upgrade steps the policy for http://*:*/notg0 did not set the exclusive for this policy. (ie it ends up with "ALL of..." (and do not have "NOT") of g0)
- It is seen that exporting from OpenAM11 (from list-policies) and importing to OpenAM12 (create-policies), the exclusion policies are retained fine. (working).