Appendix C Wildcard Matching in Policy Agent 3.0 Web Agents
The OpenSSO Enterprise policy service supports policy definitions that use either of the two following wildcards:
These wildcards can be used in policy related situations. For example, when using OpenSSO Enterprise Console or the ssoadm utility to create policies or when configuring the Policy Agent property that establishes the not-enforced list.
Caution – When issuing the ssoadm command, if you include values that contain wildcards (* or -*-), then the name/value pair should be enclosed in double quotes to avoid substitution by the shell. For more information about the ssoadm command, see Appendix D, Using the ssoadm Command-Line Utility With Agents.
For creating a policy, the following are feasible examples of the wildcards in use:
http://agentHost:8090/agentsample/*
http://agentHost:8090/agentsample/example-*-/example.html
For the not-enforced list, the following are feasible examples of the wildcards in use:
http://agentHost:8090/agentsample.com/*.gif
http://agentHost:8090/agentsample/-*-/images
Note –
-
No Support for Mixing Wildcards: A policy resource can have either the multi-level wildcard (*) or the one-level wildcard (-*-), but not both. Using both types of wildcards in the same policy resource is not supported.
-
Handling Resources That Contain Query Strings: Some resources use a query string, which is the part of a URL that contains data to be passed to web applications. The following is a feasible example of a URL that contains a query string:
http://AgentHost/path/app?query-string
The question mark (?) is the separator. It is not part of the query string. Many scenarios exist in which query strings might be used. They can be used for personalization of the user's session. Sometimes an application might add some locale information for a page request. The following example demonstrates the use of such locale information:
http://AgentHost.com:8080/sampleapp/main.jsp?language=en&country=US
Starting with OpenSSO Enterprise, neither the multi-level wildcard (*) nor the one-level wildcard (-*-) match the question mark. This is a change in behavior from Access Manager, where the multi-level wildcard (*) and the one-level wildcard (-*-) both matched the question mark. Because of this change in behavior, when you want to define a policy resource for OpenSSO Enterprise that can handle the question mark, use the multi-level wildcard on both sides of a question mark, as follows: *?* (asterisk-question mark-asterisk).
The Multi-Level Wildcard: *
The following list summarizes the behavior of the multi-level wildcard (the asterisk, *):
-
Matches zero or more occurrences of any character except for the question mark (?).
-
Spans across multiple levels in a URL
-
Cannot be escaped. Therefore, the backslash character (\) or other characters cannot be used to escape the asterisk, as such \*.
The following examples show the multi-level wildcard character when used with the forward slash (/) as the delimiter character:
-
The multi-level wildcard (*) matches zero or more characters, except the question mark, in the resource name, including the forward slash (/). For example, ...B-examp/* matches ...B-examp/b/c/d, but doesn't match ...B-examp/a?b=1
-
Multiple consecutive forward slash characters (/) do not match with a single forward slash character (/). For example, ...B-examp/*/A-examp doesn't match ...B-examp/A-examp.
-
Any number of trailing forward slash characters (/) are not recognized as part of the resource name. For example, ...B-examp/ and ...B-examp// are treated the same as ...B-examp.
|
Pattern |
Matches |
Does Not Match |
|---|---|---|
|
http://A-examp.com:8080/* |
http://A-examp.com:8080 http://A-examp.com:8080/ http://A-examp.com:8080/index.html http://A-examp.com:8080/x.gif |
http://B-examp.com:8080/ http://A-examp.com:8090/index.html http://A-examp.com:8080/a?b=1 |
|
http://A-examp.com:8080/*.html |
http://A-examp.com:8080/index.html http://A-examp.com:8080/pub/ab.html http://A-examp.com:8080/pri/xy.html |
http://A-examp.com/index.html http://A-examp.com:8080/x.gif http://B-examp.com/index.html |
|
http://A-examp.com:8080/*/ab |
http://A-examp.com:8080/pri/xy/ab/xy/ab http://A-examp.com:8080/xy/ab |
http://A-examp.com/ab http://A-examp.com/ab.html http://B-examp.com:8080/ab |
|
http://A-examp.com:8080/ab/*/de |
http://A-examp.com:8080/ab/123/de http://A-examp.com:8080/ab/ab/de http://A-examp.com:8080/ab/de/ab/de http://A-examp.com:8080/ab//de |
http://A-examp.com:8080/ab/de http://A-examp.com:8090/ab/de http://B-examp.com:8080/ab/de/ab/de |
The One-Level Wildcard: -*-
The one-level wildcard (-*-) matches only the defined level starting at the location of the one-level wildcard to the next delimiter boundary. The “defined level” refers to the area between delimiter boundaries. Many of the rules that apply to the multi—level wildcard also apply to the one-level wildcard.
The following list summarizes the behavior of hyphen-asterisk-hyphen (-*-) as a wildcard:
-
Matches zero or more occurrences of any character except for the forward slash and the question mark (?).
-
Does not span across multiple levels in a URL.
-
Cannot be escaped. Therefore, the backslash character (\) or other characters cannot be used to escape the hyphen-asterisk-hyphen, as such \-*-.
The following examples show the one-level wildcard when used with the forward slash (/) as the delimiter character:
-
The one-level wildcard (-*-) matches zero or more characters (except for the forward slash and the question mark) in the resource name. For example, ...B-examp/-*- doesn't match ...B-examp/b/c or ...B-examp/a?b=1
-
Multiple consecutive forward slash characters (/) do not match with a single forward slash character (/). For example, ...B-examp/-*-/A-examp doesn't match ...B-examp/A-examp.
-
Any number of trailing forward slash characters (/) are not recognized as part of the resource name. For example, ...B-examp/ and ...B-examp// are treated the same as ...B-examp.
|
Pattern |
Matches |
Does Not Match |
|---|---|---|
|
http://A-examp.com:8080/b/-*- |
http://A-examp.com:8080/b http://A-examp.com:8080/b/ http://A-examp.com:8080/b/cd/ |
http://A-examp.com:8080/b/c?d=e http://A-examp.com:8080/b/cd/e http://A-examp.com:8090/b/ |
|
http://A-examp.com:8080/b/-*-/f |
http://A-examp.com:8080/b/c/f http://A-examp.com:8080/b/cde/f |
http://A-examp.com:8080/b/c/e/f http://A-examp.com:8080/f/ |
|
http://A-examp.com:8080/b/c-*-/f |
http://A-examp.com:8080/b/cde/f http://A-examp.com:8080/b/cd/f http://A-examp.com:8080/b/c/f |
http://A-examp.com:8080/b/c/e/f http://A-examp.com:8080/b/c/ http://A-examp.com:8080/b/c/fg |
- © 2010, Oracle Corporation and/or its affiliates