OpenSSO (OpenAM) : Turn off URL enforcement

We're using OpenAM to manage sessions on our application. The problem is everytime we're trying to pass a parameters with the GET method, the ressource is blocked (error 403 - forbidden). If no parameter is set, everything is wirking.

EX:

http://mysite.com/logo.jpg ----> Works.

http://mysite.com/logo.jpg?foo=bar ----> ERROR !

For images or css, it's normal to do not have parameters, but all links with using the GET method aren't working.

How could we开发者_运维知识库 solve our problem? Actually, disabling this policy would be a good solution.

We've looked for section 7.4.2 in the OpenAM's documentation (http://openam.forgerock.org/doc/admin-guide/OpenAM-Admin-Guide.html) but nothing is working.

Any clue ?

Thanks for your time.

---

So all you need to do is create 2 policies one to cover

.mysite.com/ (i could not post the http://)

.mysite.com/?*

Since the policy engine actually looks are arguments and can restrict access based on args or not.

Creating a second policy to allow args, will solve your problems.

---

You have to create the appropriate policies to accept parameters in your url.

In your OpenAm console :

- go to the Access Control Tab
- click on the realm you want to modify
- click on the Agents Tab
- click agent name you want to modify
- go to the Application Tab

In the Not Enforced URL Processing section

- look for the NotEnforced URLs parameter
- Enter the new policies in New Value
- click Add and then save.

You can use * or -*- depending on what you want :

• * include all subdivision (Ex : mysite.com/* would permit mysite.com/Foo/Bar)
• -*- exclude subdivision (Ex : mysite.com/-*- would permit mysite.com/page1.aspx but not mysite.com/Foo/page1.aspx)

So you can use for your parameters something like mysite.com?-*- or more specifically mysite.com?myparam=-*-

And be aware : despite the fact that it is indicated "Hot Swap : yes", it doesn't mean that your changes are effective immediately.