Wildcards for OpenSSO

NOTE ADDED 10/11/08: For the most up-to-date info on wildcards see the following link:

http://wikis.sun.com/display/OpenSSO/openssowildcards

Earlier this year, Michael Teger blogged about wildcard use for our products as follows:

http://blogs.sun.com/docteger/entry/wildcard_matches_in_policy_agents

http://blogs.sun.com/docteger/entry/one_more_wildcard

I used this information to put together a write up for the OpenSSO Enterprise 8.0 and Policy Agent 3.0 documentation. I talked to a few developers to get some more info and to have them double check everything. So this should completely explain how you can use wildcards for policy-related situations when configuring OpenSSO or Policy Agent.

If anything looks unclear to you in this write up, please leave a comment.


 Below is the write up about wildcard use in OpenSSO and Policy Agent.


Wildcard Matching in OpenSSO

The OpenSSO Enterprise policy service supports policy definitions that use either of the two following wildcards:

These wildcards can be used in policy related situations. For example, when using the OpenSSO Enterprise Console or the ssoadm utility to create policies or when configuring the Policy Agent property to set the not-enforced list.


Caution - When issuing the ssoadm command, if you include values that contain wildcards (\* or -\*-), then the name/value pair should be enclosed in double quotes to avoid substitution by the shell.


For creating a policy, the following are feasible examples of the wildcards in use: http://agentHost:8090/agentsample/\* and http://agentHost:8090/agentsample/example-\*-/example.html.

For the not-enforced list, the following are feasible examples of the wildcards in use:
Web Agents:
http://agentHost:8090/agentsample.com/\*.gif and http://agentHost:8090/agentsample/-\*-/images

 J2EE Agents:
/agentsample.com/\*.gif and /agentsample.com/-\*-/images


Note - A policy resource can have either the multi-level wildcard (\*) or the one-level wildcard (-\*-), but not both. Using both types of wildcards in the same policy resource is not supported.


The Multi-Level Wildcard: \*

The following list summarizes the behavior of the multi-level wildcard (the asterisk, \*):

  • Matches zero or more occurrences of any character except for the question mark (?).

  • Spans across multiple levels in a URL

  • Cannot be escaped. Therefore, the backslash character (\\) or other characters cannot be used to escape the asterisk, as such \\\*.

The following examples show the multi-level wildcard character when used with the forward slash (/) as the delimiter character:

  • The asterisk (\*) matches zero or more characters, except the question mark, in the resource name, including the forward slash (/). For example, ...B-example/\* matches ...B-example/b/c/d, but doesn't match ...B-example/?

  • Multiple consecutive forward slash characters (/) do not match with a single forward slash character (/). For example, ...B-example/\*/A-example doesn't match ...B-example/A-example.

  • Any number of trailing forward slash characters (/) are not recognized as part of the resource name. For example, ...B-example/ or ...B-example// are treated the same as ...B-example.

Table B-1 Examples of the Asterisk (\*) as the Multi-Level Wildcard

Pattern

Matches

Does Not Match

http://A-example.com:80/\*

http://A-example.com:80

http://A-example.com:80/

http://A-example.com:80/index.html

http://A-example.com:80/x.gif

http://B-example.com:80/

http://A-example.com:8080/index.html

http://A-example.com:80/a?b=1

http://A-example.com:80/\*.html

http://A-example.com:80/index.html

http://A-example.com:80/pub/ab.html

http://A-example.com:80/pri/xy.html

http://A-example.com/index.html

http://A-example.com:80/x.gif

http://B-example.com/index.html

http://A-example.com:80/\*/ab

http://A-example.com:80/pri/xy/ab/xy/ab

http://A-example.com:80/xy/ab

http://A-example.com/ab

http://A-example.com/ab.html

http://B-example.com:80/ab

http://A-example.com:80/ab/\*/de

http://A-example.com:80/ab/123/de

http://A-example.com:80/ab/ab/de

http://A-example.com:80/ab/de/ab/de

http://A-example.com:80/ab//de

http://A-example.com:80/ab/de

http://A-example.com:80/ab/de

http://B-example.com:80/ab/de/ab/de

The One-Level Wildcard: -\*-

The one-level wildcard (-\*-) matches only the defined level starting at the location of the one-level wildcard to the next delimiter boundary. The “defined level” refers to the area between delimiter boundaries. Many of the rules that apply to the multi—level wildcard also apply to the one-level wildcard.

The following list summarizes the behavior of hyphen-asterisk-hyphen (-\*-) as a wildcard:

  • Matches zero or more occurrences of any character except for the forward slash and the question mark (?).

  • Does not span across multiple levels in a URL

  • Cannot be escaped. Therefore, the backslash character (\\) or other characters cannot be used to escape the hyphen-asterisk-hyphen, as such \\-\*-.

The following examples show the one-level wildcard when used with the forward slash (/) as the delimiter character:

  • The one-level wildcard (-\*-) matches zero or more characters (except for the forward slash and the question mark) in the resource name. For example, ...B-example/-\*- doesn't match ...B-example/b/c/ or ...B-example/b?

  • Multiple consecutive forward slash characters (/) do not match with a single forward slash character (/). For example, ...B-example/-\*-/A-example doesn't match ...B-example/A-example.

  • Any number of trailing forward slash characters (/) are not recognized as part of the resource name. For example, ...B-example/ or ...B-example// are treated the same as ...B-example.

Table B-2 Examples of the One—Level Wildcard (-\*-)

Pattern

Matches

Does Not Match

http://A-example.com:80/b/-\*-

http://A-example.com:80/b

http://A-example.com:80/b/

http://A-example.com:80/b/cd/

http://A-example.com:80/b/c?d=e

http://A-example.com:80/b/cd/e

http://A-example.com:8080/b/

http://A-example.com:80/b/-\*-/f

http://A-example.com:80/b/c/f

http://A-example.com:80/b/cde/f

http://A-example.com:80/b/c/e/f

http://A-example.com:80/f/

http://A-example.com:80/b/c-\*-/f

http://A-example.com:80/b/cde/f

http://A-example.com:80/b/cd/f

http://A-example.com:80/b/c/f

http://A-example.com:80/b/c/e/f

http://A-example.com:80/b/c/

http://A-example.com:80/b/c/fg

Comments:

Please add info about URL parameter handling (https://opensso.dev.java.net/issues/show_bug.cgi?id=2398) and the effect of the com.sun.identity.agents.config.ignore.path.info
parameter on how it behaves (https://opensso.dev.java.net/issues/show_bug.cgi?id=2988), also a similar description of how this stuff works with the not_enforced list would be good as well.

-Thanks

Posted by Christopher Nebergall on October 06, 2008 at 01:35 AM PDT #

I looked into these issues. Wildcard usage applies equally to setting policies and to adding URLs to the not-enforced list.

Also, I see that a property exists now for web agents and J2EE agents that enables the agent to strip the path info from the request URL. Here are links.

Web:
http://wikis.sun.com/display/OpenSSO/miscellaneouswebignorepathinfo

J2EE:
http://wikis.sun.com/display/OpenSSO/j2eemiscellaneousignorepathinfo

It seems that only site's that are performing a specific type of mapping have a need for this. I'll look into this further.

Posted by John Domenichini on October 07, 2008 at 10:22 AM PDT #

I'm not 100% certain what the current definition of "path info" is for strip path_info. It might include URL arguments and PATH_INFO (a CGI/servlet part of the URL) which is my guess but I'm not sure. Let me know if you want/need me to do research through the code and find that out.

Would it make more sense for you to put docs entries your like this blog post into one of the sun wiki's instead of your blog. Then others like myself could help provide content and help keep it up to date.

Posted by Christopher Nebergall on October 08, 2008 at 01:35 AM PDT #

>>>It seems that only site's that are performing a specific type of mapping have a need for this. I'll look into this further.

True but if they do need it and don't use it (because they don't know about it) its a security hole in their deployment.

Posted by Christopher Nebergall on October 08, 2008 at 02:33 AM PDT #

Christopher:

I took your suggestion to heart and created a wiki page for this wildcard info. Good suggestion. Here's the link (see below). Please you and anyone else who has access, add info as you see fit. I think anyone, can at least add a comment.

http://wikis.sun.com/display/OpenSSO/openssowildcards

Posted by John Domenichini on October 12, 2008 at 04:15 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

What does this box do?

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today