Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents

Configuring the Not-Enforced URL List

The not-enforced URL list defines the resources that should not have any policies (neither allow nor deny) associated with them.

By default, the web agent denies access to all resources on the deployment container that it protects. However, various resources (such as a web site or an application) available through a deployment container might not need to have any policy enforced. Common examples of such resources include the HTML pages and .gif images found in the home pages of web sites and the cascading style sheets (CSS) that apply to these home pages. The user should be able to browse such pages without authenticating. For the home page example, all these resources need to be on the not-enforced URL list or the page will not be displayed properly. The property labeled Not Enforced URLs (Tab: Application, Name: com.sun.identity.agents.config.notenforced.url) is used for this purpose. Wild cards can be used to define a pattern of URLs. For more information about the use of wildcards, see Appendix C, Wildcard Matching in Policy Agent 3.0 Web Agents.

There can be a reverse, or “inverted”, scenario when all the resources on the deployment container, except a list of URLs, are open to any user. In that case, the property labeled Invert Not Enforced URLs (Tab: Application, Name: com.sun.identity.agents.config.notenforced.url.invert) is used to reverse the meaning of the Not Enforced URLs property. If the Invert Not Enforced URLs property is enabled (by default it is not enabled), then the not-enforced URL list becomes the enforced list.

Example 4–6 Configuration Property Settings for Not-Enforced URL List

The following are examples:

Scenario 1: Not-Enforced URL List

The Invert Not Enforced URLs property is not enabled.

The following URLs are listed as values for the Not Enforced URLs property:

http://host1.example.com:80/welcome.html
http://host1.example.com:80/banner.html

In this case, authentication and policies will not be enforced on the two URLs listed on the not-enforced list. All other resources will be protected by the web agent.

Scenario 2: Inverted Not-Enforced URL List

The Invert Not Enforced URLs property is enabled.

The following URLs are listed as values for the Not Enforced URLs property:

http://host1.example.com:80/welcome.html
 http://host1.example.com:80/banner.html

In this case, authentication and policies will be enforced by the web agent on the two URLs mentioned in the not-enforced list. All other resources will be accessible to any user.

Caution –

If feasible, do not enable the Invert Not Enforced URLs property.

Not enabling this property reduces the chance of unintentionally allowing access to resources.