Wildcard Matching in OpenSSO

The OpenSSO Enterprise policy service supports policy definitions that use either of the two following wildcards:

• *The Multi-Level Wildcard (asterisk):

  *

  *

• *The One-Level Wildcard (hyphen-asterisk-hyphen):

  -*-

  *

These wildcards can be used in policy related situations. For example, when using the OpenSSO Enterprise Console or the ssoadm utility to create policies or when configuring the Policy Agent property that establishes the not-enforced list.

Caution When issuing the ssoadm command, if you include values that contain the multi-level wildcard or the one-level wildcard, then the name/value pair should be enclosed in double quotes to avoid substitution by the shell.

For creating a policy, the following are feasible examples of the wildcards in use:

http://agentHost:8090/agentsample/*

http://agentHost:8090/agentsample/example-*-/example.html

For the not-enforced list, the following are feasible examples of the wildcards in use:

Web Agents:

http://agentHost:8090/agentsample.com/*.gif

http://agentHost:8090/agentsample/-*-/images

J2EE Agents:

/agentsample.com/*.gif

/agentsample.com/-*-/images

Note No Support for Mixing Wildcards: A policy resource can have either the multi-level wildcard (asterisk) or the one-level wildcard (hyphen-asterisk-hyphen), but not both. Using both types of wildcards in the same policy resource is not supported. Handling Resources That Contain Query Strings: Some resources use a query string, which is the part of a URL that contains data to be passed to web applications. The following is a feasible example of a URL that contains a query string: http://AgentHost/path/app?query-string . The question mark (?) is the separator. It is not part of the query string. Many scenarios exist in which query strings might be used. They can be used for personalization of the user's session. Sometimes an application might add some locale information for a page request. The following example demonstrates the use of such locale information: http://AgentHost.com:8080/sampleapp/main.jsp?language=en&country=US . Starting with OpenSSO Enterprise, neither the multi-level wildcard (asterisk) nor the one-level wildcard (hyphen-asterisk-hyphen) match the question mark. This is a change in behavior from Access Manager, where the multi-level wildcard (asterisk) and the one-level wildcard (hyphen-asterisk-hyphen) both matched the question mark. Because of this change in behavior, when you want to define a policy resource for OpenSSO Enterprise that can handle the question mark, use the multi-level wildcard on both sides of a question mark (asterisk-question mark-asterisk), as follows: *?*

The Multi-Level Wildcard (asterisk)

The following list summarizes the behavior of the multi-level wildcard (asterisk):

• Matches zero or more occurrences of any character except for the question mark.
• Spans across multiple levels in a URL
• Cannot be escaped. Therefore, the backslash character or other characters cannot be used to escape the asterisk, as such:

  \*

The following examples show the multi-level wildcard character when used with the forward slash as the delimiter character:

• The asterisk matches zero or more characters, except the question mark, in the resource name, including the forward slash. For example,

  ...B-example/*

  matches

  ...B-example/b/c/d

  but doesn't match

  ...B-example/?

• Multiple consecutive forward slash characters do not match with a single forward slash character. For example,

  ...B-example/*/A-example

  doesn't match

  ...B-example/A-example

• Any number of trailing forward slash characters are not recognized as part of the resource name. For example,

  ...B-example/

  and

  ...B-example//

  are treated the same as

  ...B-example

Table 1: Examples of the the Multi-Level Wildcard

http://A-example.com:80/*

http://A-example.com:80/*.html

http://A-example.com:80/*/ab

http://A-example.com:80/ab/*/de

The One-Level Wildcard (hyphen-asterisk-hyphen)

The one-level wildcard (hyphen-asterisk-hyphen) matches only the defined level starting at the location of the one-level wildcard to the next delimiter boundary. The "defined level" refers to the area between delimiter boundaries. Many of the rules that apply to the multi-level wildcard also apply to the one-level wildcard.

The following list summarizes the behavior of hyphen-asterisk-hyphen as a wildcard:

• Matches zero or more occurrences of any character except for the forward slash and the question mark .
• Does not span across multiple levels in a URL.
• Cannot be escaped. Therefore, the backslash character or other characters cannot be used to escape the hyphen-asterisk-hyphen, as such:

  \-*-

The following examples show the one-level wildcard when used with the forward slash as the delimiter character:

• The one-level wildcard matches zero or more characters (except for the forward slash and the question mark) in the resource name. For example,

  ...B-example/-*-

  doesn't match

  ...B-example/b/c/

  or

  ...B-example/b?

• Multiple consecutive forward slash characters do not match with a single forward slash character . For example,

  ...B-example/-*-/A-example

  doesn't match

  ...B-example/A-example

• Any number of trailing forward slash characters are not recognized as part of the resource name. For example,

  ...B-example/

  and

  ...B-example//

  are treated the same as

  ...B-example

Table 2: Examples of the One-Level Wildcard

http://A-example.com:80/b/-*-

http://A-example.com:80/b/-*-/f

http://A-example.com:80/b/c-*-/f