Saturday Oct 11, 2008

The Most Up-To-Date OpenSSO Wildcard Info

For the most up-to-date information about the use of wildcards for OpenSSO policy definitions, see the following page on the OpenSSO wiki:

http://wikis.sun.com/display/OpenSSO/openssowildcards

I've written a couple of blog entries on wildcards lately:

Christopher Nebergall left a comment on the "Wildcards for OpenSSO" entry saying the following:

"Would it make more sense for you to put doc entries like this blog post into one of the Sun wiki's instead of your blog? Then others like myself could help provide content and help keep it up to date."

I thought that was such a grand idea that I created the Wildcard Matching in OpenSSO wiki page.

Okay, so now, that should be the go-to place for wildcard information related to OpenSSO. So information on wildcards and their relationship to query strings and the like will be most up-to-date on that wiki page. I would venture to say that that page will end up being more current and comprehensive than the official documentation on the topic.

Tuesday Oct 07, 2008

OpenSSO: Wildcards and Handling Resources with Query Strings

NOTE ADDED 10/11/08: For the most up-to-date info on wildcards see the following link:

http://wikis.sun.com/display/OpenSSO/openssowildcards

In my previous blog entry, Wildcards for OpenSSO, I provided the write up I plan to include for OpenSSO documentation. I got some feedback. One piece of feedback came in the form of a blog comment at the end of the entry. I responded to that comment with my own comment. The other piece of feedback had to do with query strings in URLs, and that comment came in the form of an email message through the following mailing list: users@opensso.dev.java.net. Obviously, I'm subscribed to that mailing list.

In fact, when I submit a new blog entry, I often send an email message to that mailing list. This is a great community approach that I picked up from other Sun bloggers. When it comes to feedback, I feel that comments on the blog are actually better because people who haven't  subscribed to the mailing list still can see the comment. All the same, the mailing list is great. I feel that the OpenSSO community is really starting to gel. It's easier than ever to interact with the community now. Anyway, the following link is to various OpenSSO related mailing lists:

https://opensso.dev.java.net/servlets/ProjectMailingListList

The "users" mailing list has a lot of activity. To sign up to one of the mailing lists, you first need to register to the OpenSSO project. You can also do that from the link listed above.

All right then, for the the comment I received about query strings, I wrote up a couple of short paragraphs that I'll add to my wildcard write up. I've added those paragraphs below. Leave a comment if you have anything you can add or suggest for these two extra paragraphs.


The following section is what I'm proposing to add to the write up about wildcards:

Handling Resources That Contain Query Strings:

Some resources use a query string, which is the part of a URL that contains data to be passed to web applications. The following is a feasible example of a URL that contains a query string: http://AgentHost/path/app?query-string. The question mark (?) is the separator. It is not part of the query string. Many scenarios exist in which query strings might be used. They can be used for personalization of the user's session. Sometimes an application might add some locale information for a page request. The following example demonstrates the use of such locale information:
http://AgentHost.com:8080/sampleapp/main.jsp?language=en&country=US.

Neither the multi-level wildcard (\*) nor the one-level wildcard (-\*-) match the question mark. Therefore, to define a policy resource that can handle the question mark, use the multi-level wildcard on both sides of a question mark, as follows: \*?\* (asterisk-question mark-asterisk).

Sunday Oct 05, 2008

Wildcards for OpenSSO

NOTE ADDED 10/11/08: For the most up-to-date info on wildcards see the following link:

http://wikis.sun.com/display/OpenSSO/openssowildcards

Earlier this year, Michael Teger blogged about wildcard use for our products as follows:

http://blogs.sun.com/docteger/entry/wildcard_matches_in_policy_agents

http://blogs.sun.com/docteger/entry/one_more_wildcard

I used this information to put together a write up for the OpenSSO Enterprise 8.0 and Policy Agent 3.0 documentation. I talked to a few developers to get some more info and to have them double check everything. So this should completely explain how you can use wildcards for policy-related situations when configuring OpenSSO or Policy Agent.

If anything looks unclear to you in this write up, please leave a comment.


 Below is the write up about wildcard use in OpenSSO and Policy Agent.


Wildcard Matching in OpenSSO

The OpenSSO Enterprise policy service supports policy definitions that use either of the two following wildcards:

These wildcards can be used in policy related situations. For example, when using the OpenSSO Enterprise Console or the ssoadm utility to create policies or when configuring the Policy Agent property to set the not-enforced list.


Caution - When issuing the ssoadm command, if you include values that contain wildcards (\* or -\*-), then the name/value pair should be enclosed in double quotes to avoid substitution by the shell.


For creating a policy, the following are feasible examples of the wildcards in use: http://agentHost:8090/agentsample/\* and http://agentHost:8090/agentsample/example-\*-/example.html.

For the not-enforced list, the following are feasible examples of the wildcards in use:
Web Agents:
http://agentHost:8090/agentsample.com/\*.gif and http://agentHost:8090/agentsample/-\*-/images

 J2EE Agents:
/agentsample.com/\*.gif and /agentsample.com/-\*-/images


Note - A policy resource can have either the multi-level wildcard (\*) or the one-level wildcard (-\*-), but not both. Using both types of wildcards in the same policy resource is not supported.


The Multi-Level Wildcard: \*

The following list summarizes the behavior of the multi-level wildcard (the asterisk, \*):

  • Matches zero or more occurrences of any character except for the question mark (?).

  • Spans across multiple levels in a URL

  • Cannot be escaped. Therefore, the backslash character (\\) or other characters cannot be used to escape the asterisk, as such \\\*.

The following examples show the multi-level wildcard character when used with the forward slash (/) as the delimiter character:

  • The asterisk (\*) matches zero or more characters, except the question mark, in the resource name, including the forward slash (/). For example, ...B-example/\* matches ...B-example/b/c/d, but doesn't match ...B-example/?

  • Multiple consecutive forward slash characters (/) do not match with a single forward slash character (/). For example, ...B-example/\*/A-example doesn't match ...B-example/A-example.

  • Any number of trailing forward slash characters (/) are not recognized as part of the resource name. For example, ...B-example/ or ...B-example// are treated the same as ...B-example.

Table B-1 Examples of the Asterisk (\*) as the Multi-Level Wildcard

Pattern

Matches

Does Not Match

http://A-example.com:80/\*

http://A-example.com:80

http://A-example.com:80/

http://A-example.com:80/index.html

http://A-example.com:80/x.gif

http://B-example.com:80/

http://A-example.com:8080/index.html

http://A-example.com:80/a?b=1

http://A-example.com:80/\*.html

http://A-example.com:80/index.html

http://A-example.com:80/pub/ab.html

http://A-example.com:80/pri/xy.html

http://A-example.com/index.html

http://A-example.com:80/x.gif

http://B-example.com/index.html

http://A-example.com:80/\*/ab

http://A-example.com:80/pri/xy/ab/xy/ab

http://A-example.com:80/xy/ab

http://A-example.com/ab

http://A-example.com/ab.html

http://B-example.com:80/ab

http://A-example.com:80/ab/\*/de

http://A-example.com:80/ab/123/de

http://A-example.com:80/ab/ab/de

http://A-example.com:80/ab/de/ab/de

http://A-example.com:80/ab//de

http://A-example.com:80/ab/de

http://A-example.com:80/ab/de

http://B-example.com:80/ab/de/ab/de

The One-Level Wildcard: -\*-

The one-level wildcard (-\*-) matches only the defined level starting at the location of the one-level wildcard to the next delimiter boundary. The “defined level” refers to the area between delimiter boundaries. Many of the rules that apply to the multi—level wildcard also apply to the one-level wildcard.

The following list summarizes the behavior of hyphen-asterisk-hyphen (-\*-) as a wildcard:

  • Matches zero or more occurrences of any character except for the forward slash and the question mark (?).

  • Does not span across multiple levels in a URL

  • Cannot be escaped. Therefore, the backslash character (\\) or other characters cannot be used to escape the hyphen-asterisk-hyphen, as such \\-\*-.

The following examples show the one-level wildcard when used with the forward slash (/) as the delimiter character:

  • The one-level wildcard (-\*-) matches zero or more characters (except for the forward slash and the question mark) in the resource name. For example, ...B-example/-\*- doesn't match ...B-example/b/c/ or ...B-example/b?

  • Multiple consecutive forward slash characters (/) do not match with a single forward slash character (/). For example, ...B-example/-\*-/A-example doesn't match ...B-example/A-example.

  • Any number of trailing forward slash characters (/) are not recognized as part of the resource name. For example, ...B-example/ or ...B-example// are treated the same as ...B-example.

Table B-2 Examples of the One—Level Wildcard (-\*-)

Pattern

Matches

Does Not Match

http://A-example.com:80/b/-\*-

http://A-example.com:80/b

http://A-example.com:80/b/

http://A-example.com:80/b/cd/

http://A-example.com:80/b/c?d=e

http://A-example.com:80/b/cd/e

http://A-example.com:8080/b/

http://A-example.com:80/b/-\*-/f

http://A-example.com:80/b/c/f

http://A-example.com:80/b/cde/f

http://A-example.com:80/b/c/e/f

http://A-example.com:80/f/

http://A-example.com:80/b/c-\*-/f

http://A-example.com:80/b/cde/f

http://A-example.com:80/b/cd/f

http://A-example.com:80/b/c/f

http://A-example.com:80/b/c/e/f

http://A-example.com:80/b/c/

http://A-example.com:80/b/c/fg

About

What does this box do?

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today