Nested paths access misunderstanding.

This topic has 3 replies, 1 voice, and was last updated 4 years, 11 months ago by skiller.

  • Author
    Posts
  • #18069
     skiller
    Participant

    Hi!

    I have two dirs odoutgoing/tmp and odoutgoing.
    The policy set has two policies for each path:
    – /odoutgoing/* just for group level2
    – /odoutgoing/tmp/* just for group level1
    The user l2test is in the level2 group only.

    The problem is:
    He can see /odoutgoing/* but he also can access to /odoutgoing/tmp/* too.

    I expected the policy works like the “if user have no access to any matched paths he have no access”. Where to check/change this decision making algorithm or how to set it up?

    The policy log is here:

    
    Accessing /odoutgoing/*
    
    amPolicy:07/12/2017 04:56:46:600 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.processRequest(): content is <PolicyService version="1.0"><PolicyRequest requestId="4" appSSOToken="AQIC5wM2LY4Sfcztnb1U2QZKbtImxU_0Tx3eN9BkJsmQXSQ.*AAJTSQACMDEAAlNLABQtNDg4NzcwOTI2OTIzNjExNzI5NAACUzEAAA..*"><GetResourceResults userSSOToken="AQIC5wM2LY4SfczABsykJMpEr961KzrqLyJItOqxg0JZt-k.*AAJTSQACMDEAAlNLABQtNTcwOTcxMzQ1OTQ1NzYwMjgwMQACUzEAAA..*" serviceName="iPlanetAMWebAgentService" resourceName="http://sso-www.opendesign.com:80/odoutgoing/" resourceScope="self"><EnvParameters><AttributeValuePair><Attribute name="requestIp"/><Value>192.168.50.2</Value></AttributeValuePair></EnvParameters><GetResponseDecisions></GetResponseDecisions></GetResourceResults></PolicyRequest></PolicyService>
    amPolicy:07/12/2017 04:56:46:600 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.processRequest(): policy service object:<PolicyService version="1.0">
    <PolicyRequest appSSOToken="AQIC5wM2LY4Sfcztnb1U2QZKbtImxU_0Tx3eN9BkJsmQXSQ.*AAJTSQACMDEAAlNLABQtNDg4NzcwOTI2OTIzNjExNzI5NAACUzEAAA..*" requestId="4">
    <GetResourceResults userSSOToken="AQIC5wM2LY4SfczABsykJMpEr961KzrqLyJItOqxg0JZt-k.*AAJTSQACMDEAAlNLABQtNTcwOTcxMzQ1OTQ1NzYwMjgwMQACUzEAAA..*" serviceName="iPlanetAMWebAgentService" resourceName="http://sso-www.opendesign.com:80/odoutgoing/" resourceScope="self">
    <EnvParameters>
    <AttributeValuePair>
    <Attribute name="requestIp"/>
    <Value>192.168.50.2</Value>
    </AttributeValuePair>
    </EnvParameters>
    <GetResponseDecisions>
    </GetResponseDecisions>
    </GetResourceResults>
    </PolicyRequest>
    </PolicyService>
    
    amPolicy:07/12/2017 04:56:46:600 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.processPolicyRequest():  req received:
    <PolicyRequest appSSOToken="AQIC5wM2LY4Sfcztnb1U2QZKbtImxU_0Tx3eN9BkJsmQXSQ.*AAJTSQACMDEAAlNLABQtNDg4NzcwOTI2OTIzNjExNzI5NAACUzEAAA..*" requestId="4">
    <GetResourceResults userSSOToken="AQIC5wM2LY4SfczABsykJMpEr961KzrqLyJItOqxg0JZt-k.*AAJTSQACMDEAAlNLABQtNTcwOTcxMzQ1OTQ1NzYwMjgwMQACUzEAAA..*" serviceName="iPlanetAMWebAgentService" resourceName="http://sso-www.opendesign.com:80/odoutgoing/" resourceScope="self">
    <EnvParameters>
    <AttributeValuePair>
    <Attribute name="requestIp"/>
    <Value>192.168.50.2</Value>
    </AttributeValuePair>
    </EnvParameters>
    <GetResponseDecisions>
    </GetResponseDecisions>
    </GetResourceResults>
    </PolicyRequest>
    
    amPolicy:07/12/2017 04:56:46:602 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.processPolicyRequest(): respAttrs=
    []
    amPolicy:07/12/2017 04:56:46:602 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.convertEnvParams(): requestIp is 192.168.50.2
    amPolicy:07/12/2017 04:56:46:602 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.convertEnvParams(): requestTime is null
    amPolicy:07/12/2017 04:56:46:602 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.convertEnvParams(): requestTimeZone is null
    amPolicy:07/12/2017 04:56:46:605 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    URLResourceName: portString = 80
    amPolicy:07/12/2017 04:56:46:606 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    URLResourceName: url query=null
    amEntitlements:07/12/2017 04:56:46:606 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    Matched index rules (resource:http://sso-www.opendesign.com:80/odoutgoing/, realm:/): [*://*:*/odoutgoing/*]
    amPolicy:07/12/2017 04:56:46:617 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    AMIndentitySubject.isMember(): entering with userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:46:617 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    AMIndentitySubject.isMember(): checking membership with userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subjectValue = id=level2,ou=group,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:46:617 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    IdentitySubject:isMember():entry for id=level2,ou=group,dc=openam,dc=forgerock,dc=org not in subject evaluation cache, so compute using IDRepo api
    amPolicy:07/12/2017 04:56:46:617 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    IdentitySubject.isMember():user uuid = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subject uuid = id=level2,ou=group,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:46:624 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    IdentitySubject.isMember():userIdentity type IdType: user can be a member of subjectIdentityType IdType: group:membership=true
    amPolicy:07/12/2017 04:56:46:624 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    IdentitySubject.isMember: adding entry in SubjectEvaluationCache for , for userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subjectValue = id=level2,ou=group,dc=openam,dc=forgerock,dc=org, subjectMatch = true
    amPolicy:07/12/2017 04:56:46:624 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    IdentitySubject.isMember(): User id=l2test,ou=user,dc=openam,dc=forgerock,dc=org is a member of this subject
    amPolicy:07/12/2017 04:56:46:624 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.processPolicyRequest(): resource result:
    <ResourceResult name="http://sso-www.opendesign.com:80/odoutgoing/">
    <PolicyDecision>
    <ResponseAttributes>
    </ResponseAttributes>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="GET"/>
    <Value>allow</Value>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="HEAD"/>
    <Value>allow</Value>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    </PolicyDecision>
    </ResourceResult>
    
    amPolicy:07/12/2017 04:56:46:626 PM MSK: Thread[http-bio-8080-exec-10,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2304]
    PolicyRequestHandler.processRequest(): get response from policy framework:
    <PolicyService version="1.0" revisionNumber="60">
    <PolicyResponse requestId="4" issueInstant="1499867806626" >
    <ResourceResult name="http://sso-www.opendesign.com:80/odoutgoing/">
    <PolicyDecision>
    <ResponseAttributes>
    </ResponseAttributes>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="GET"/>
    <Value>allow</Value>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="HEAD"/>
    <Value>allow</Value>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    </PolicyDecision>
    </ResourceResult>
    </PolicyResponse>
    </PolicyService>
    
    Accessing /odoutgoing/tmp/*
    
    amPolicy:07/12/2017 04:56:57:514 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.processRequest(): content is <PolicyService version="1.0"><PolicyRequest requestId="4" appSSOToken="AQIC5wM2LY4Sfcztnb1U2QZKbtImxU_0Tx3eN9BkJsmQXSQ.*AAJTSQACMDEAAlNLABQtNDg4NzcwOTI2OTIzNjExNzI5NAACUzEAAA..*"><GetResourceResults userSSOToken="AQIC5wM2LY4SfczABsykJMpEr961KzrqLyJItOqxg0JZt-k.*AAJTSQACMDEAAlNLABQtNTcwOTcxMzQ1OTQ1NzYwMjgwMQACUzEAAA..*" serviceName="iPlanetAMWebAgentService" resourceName="http://sso-www.opendesign.com:80/odoutgoing/tmp/" resourceScope="self"><EnvParameters><AttributeValuePair><Attribute name="requestIp"/><Value>192.168.50.2</Value></AttributeValuePair></EnvParameters><GetResponseDecisions></GetResponseDecisions></GetResourceResults></PolicyRequest></PolicyService>
    amPolicy:07/12/2017 04:56:57:515 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.processRequest(): policy service object:<PolicyService version="1.0">
    <PolicyRequest appSSOToken="AQIC5wM2LY4Sfcztnb1U2QZKbtImxU_0Tx3eN9BkJsmQXSQ.*AAJTSQACMDEAAlNLABQtNDg4NzcwOTI2OTIzNjExNzI5NAACUzEAAA..*" requestId="4">
    <GetResourceResults userSSOToken="AQIC5wM2LY4SfczABsykJMpEr961KzrqLyJItOqxg0JZt-k.*AAJTSQACMDEAAlNLABQtNTcwOTcxMzQ1OTQ1NzYwMjgwMQACUzEAAA..*" serviceName="iPlanetAMWebAgentService" resourceName="http://sso-www.opendesign.com:80/odoutgoing/tmp/" resourceScope="self">
    <EnvParameters>
    <AttributeValuePair>
    <Attribute name="requestIp"/>
    <Value>192.168.50.2</Value>
    </AttributeValuePair>
    </EnvParameters>
    <GetResponseDecisions>
    </GetResponseDecisions>
    </GetResourceResults>
    </PolicyRequest>
    </PolicyService>
    
    amPolicy:07/12/2017 04:56:57:515 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.processPolicyRequest():  req received:
    <PolicyRequest appSSOToken="AQIC5wM2LY4Sfcztnb1U2QZKbtImxU_0Tx3eN9BkJsmQXSQ.*AAJTSQACMDEAAlNLABQtNDg4NzcwOTI2OTIzNjExNzI5NAACUzEAAA..*" requestId="4">
    <GetResourceResults userSSOToken="AQIC5wM2LY4SfczABsykJMpEr961KzrqLyJItOqxg0JZt-k.*AAJTSQACMDEAAlNLABQtNTcwOTcxMzQ1OTQ1NzYwMjgwMQACUzEAAA..*" serviceName="iPlanetAMWebAgentService" resourceName="http://sso-www.opendesign.com:80/odoutgoing/tmp/" resourceScope="self">
    <EnvParameters>
    <AttributeValuePair>
    <Attribute name="requestIp"/>
    <Value>192.168.50.2</Value>
    </AttributeValuePair>
    </EnvParameters>
    <GetResponseDecisions>
    </GetResponseDecisions>
    </GetResourceResults>
    </PolicyRequest>
    
    amPolicy:07/12/2017 04:56:57:516 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.processPolicyRequest(): respAttrs=
    []
    amPolicy:07/12/2017 04:56:57:516 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.convertEnvParams(): requestIp is 192.168.50.2
    amPolicy:07/12/2017 04:56:57:516 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.convertEnvParams(): requestTime is null
    amPolicy:07/12/2017 04:56:57:516 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.convertEnvParams(): requestTimeZone is null
    amPolicy:07/12/2017 04:56:57:519 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    URLResourceName: portString = 80
    amPolicy:07/12/2017 04:56:57:519 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    URLResourceName: url query=null
    amEntitlements:07/12/2017 04:56:57:520 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    <strong>Matched index rules (resource:http://sso-www.opendesign.com:80/odoutgoing/tmp/, realm:/): [*://*:*/odoutgoing/*, *://*:*/odoutgoing/tmp/*]</strong>
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    AMIndentitySubject.isMember(): entering with userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    AMIndentitySubject.isMember(): checking membership with userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subjectValue = id=level2,ou=group,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    SubjectEvaluationCache.isMember(): getting the membership result from cache.
    
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    IdentitySubject.isMember():got membership from SubjectEvaluationCache  for userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subjectValue = id=level2,ou=group,dc=openam,dc=forgerock,dc=org, result = true
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    AMIndentitySubject.isMember():  returning membership status = true
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    AMIndentitySubject.isMember(): entering with userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    AMIndentitySubject.isMember(): checking membership with userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subjectValue = id=level1,ou=group,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    IdentitySubject:isMember():entry for id=level1,ou=group,dc=openam,dc=forgerock,dc=org not in subject evaluation cache, so compute using IDRepo api
    amPolicy:07/12/2017 04:56:57:531 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    IdentitySubject.isMember():user uuid = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subject uuid = id=level1,ou=group,dc=openam,dc=forgerock,dc=org
    amPolicy:07/12/2017 04:56:57:538 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    IdentitySubject.isMember():userIdentity type IdType: user can be a member of subjectIdentityType IdType: group:membership=false
    amPolicy:07/12/2017 04:56:57:538 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    IdentitySubject.isMember: adding entry in SubjectEvaluationCache for , for userDN = id=l2test,ou=user,dc=openam,dc=forgerock,dc=org, subjectValue = <strong>id=level1,ou=group,dc=openam,dc=forgerock,dc=org, subjectMatch = false</strong>
    amPolicy:07/12/2017 04:56:57:538 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    <strong>IdentitySubject.isMember(): user id=l2test,ou=user,dc=openam,dc=forgerock,dc=org is not a member of this subject</strong>
    amPolicy:07/12/2017 04:56:57:538 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.processPolicyRequest(): resource result:
    <ResourceResult name="http://sso-www.opendesign.com:80/odoutgoing/tmp/">
    <PolicyDecision>
    <ResponseAttributes>
    </ResponseAttributes>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="GET"/>
    <strong><Value>allow</Value></strong>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="HEAD"/>
    <Value>allow</Value>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    </PolicyDecision>
    </ResourceResult>
    
    amPolicy:07/12/2017 04:56:57:539 PM MSK: Thread[http-bio-8080-exec-16,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2314]
    PolicyRequestHandler.processRequest(): get response from policy framework:
    <PolicyService version="1.0" revisionNumber="60">
    <PolicyResponse requestId="4" issueInstant="1499867817539" >
    <ResourceResult name="http://sso-www.opendesign.com:80/odoutgoing/tmp/">
    <PolicyDecision>
    <ResponseAttributes>
    </ResponseAttributes>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="GET"/>
    <Value>allow</Value>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    <ActionDecision timeToLive="9223372036854775807">
    <AttributeValuePair>
    <Attribute name="HEAD"/>
    <Value>allow</Value>
    </AttributeValuePair>
    <Advices>
    </Advices>
    </ActionDecision>
    </PolicyDecision>
    </ResourceResult>
    </PolicyResponse>
    </PolicyService>
    
    #18071
     skiller
    Participant

    I have found this:

    OpenAM then evaluates those policies to make a decision based on the conditions matching those of the subject and environment. When multiple policies apply for a particular resource, the default logic for combining decisions is that the first evaluation resulting in a decision to deny access takes precedence over all other evaluations. OpenAM only allows access if all applicable policies evaluate to a decision to allow access.

    But seems not working?
    What do I do wrong?

    #18072
     skiller
    Participant

    The Entitlement log is:

    
    [PolicyEval] normalisedResourceName: http://sso-www.opendesign.com:80/odoutgoing/tmp/
    Entitlement:07/12/2017 05:29:06:800 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] requestedResourceName: http://sso-www.opendesign.com:80/odoutgoing/tmp/
    Entitlement:07/12/2017 05:29:06:800 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] actions: []
    Entitlement:07/12/2017 05:29:06:800 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] envParameters: {sun.am.requestedResource=[http://sso-www.opendesign.com:80/odoutgoing/tmp/], invocatorPrincipalUuid=[id=l2test,ou=user,dc=openam,dc=forgerock,dc=org], am.policy.realmDN=[dc=openam,dc=forgerock,dc=org], requestIp=192.168.50.2, sun.am.requestedActions=[POST, PATCH, GET, DELETE, OPTIONS, PUT, HEAD], sun.am.requestedOriginalResource=[http://sso-www.opendesign.com:80/odoutgoing/tmp/]}
    Entitlement:07/12/2017 05:29:06:801 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] DataStore.searchPrivileges
    Entitlement:07/12/2017 05:29:06:801 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] search filter: (&(|(sunxmlKeyValue=subjectindex=identity:=id=l2test,ou=user)(sunxmlKeyValue=subjectindex=identity:=all))(|(sunxmlKeyValue=hostindex=:\2f\2f)(sunxmlKeyValue=hostindex=:\2f\2f.opendesign.com)(sunxmlKeyValue=hostindex=:\2f\2f.com)(sunxmlKeyValue=hostindex=:\2f\2fsso-www.opendesign.com))(|(sunxmlKeyValue=pathindex=\2a:\2f\2f\2a:\2a\2fodoutgoing\2f\2a)(sunxmlKeyValue=pathindex=\2a:\2f\2f\2a:\2a\2fodoutgoing\2ftmp\2f\2a)))
    Entitlement:07/12/2017 05:29:06:801 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] search DN: ou=default,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementIndexes,ou=services,dc=openam,dc=forgerock,dc=org
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] PolicyEvaluator.evaluate
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] search result: privilege=odoutgoing
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] PolicyEvaluator.evaluate
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] search result: privilege=odoutgoing-tmp
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] Privilege.doesSubjectMatch: true
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] Privilege.doesConditionMatch: true
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] OpenSSOPrivilege.evaluate: resources=[*://*:*/odoutgoing/*]
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] Privilege.doesSubjectMatch: false
    Entitlement:07/12/2017 05:29:06:812 PM MSK: Thread[http-bio-8080-exec-5,5,main]: TransactionId[fa934829-88ce-46f4-9dd1-e8fe4bd016e2-2657]
    [PolicyEval] Advices: {}
    
    #18075
     skiller
    Participant

    Not Enforced URL Processing
    Ignore Path Info for Not Enforced URLs: Enabled
    Invert Not Enforced URLs: Enabled

    Not enforces URL list contains both paths or just /odoutgoing — doesnt matter.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?