DocTeger

OpenSSO Technical Information

And a Spoonful of Music

To Make the Medicine Go Down

Wildcard Matches in Policy Agents

A comment was left in yesterday's entry on policy logic concerning the lack of consistency in how the different policy agents treat the wildcard. Now I am not an agent expert but I did manage to gather some information for Mr. Robinson that, I hope, helps to shed some light on how the wildcard is used by agents.

The Policy Service in OpenSSO supports policy definitions using an asterisk (*) as the wildcard. Only * is supported as a wildcard and it can not be escaped as in \*.

A * :

• matches zero or more occurrences of any character.
• spans across multiple levels in a URL.

The following matching rules assume (rightfully so) the wildcard character is * and the delimiter character is /.

1. * matches zero or more characters, including /, in the resource name.
2. * matches one or more characters, including /, if the * appears at the end of the resource name and it is immediately preceded by a /. For example, abc/* doesn't match abc.
3. Multiple consecutive / characters don't match with a single /. For example, abc/*/xyz doesn't match abc/xyz.
4. For purposes of comparison, trailing / characters will not be considered as part of the resource name. For example, abc/ or abc// will be treated the same as abc.

Here are some examples:

Pattern	Matches	Doesn't Match
http://xyz.sun.com:80/*	http://xyz.sun.com:80/ http://xyz.sun.com:80/index.html http://xyz.sun.com:80/x.gif	http://abc.sun.com:80/ http://xyz.sun.com/index.html http://xyz.sun.com:8080/index.html
http://xyz.sun.com:80/*.html	http://xyz.sun.com:80/index.html http://xyz.sun.com:80/public/abc.html http://xyz.sun.com:80/private/xyz.html	http://xyz.sun.com/index.html http://xyz.sun.com:80/x.gif http://abc.sun.com/index.html
http://xyz.sun.com:80/*/abc	http://xyz.sun.com:80/private/xyz/abc/xyz/abc http://xyz.sun.com:80/xyz/abc	http://xyz.sun.com/abc http://xyz.sun.com/abc.html http://abc.sun.com:80/abc
http://xyz.sun.com:80/abc/*/def	http://xyz.sun.com:80/abc/123/def http://xyz.sun.com:80/abc/abc/def http://xyz.sun.com:80/abc/def/abc/def	http://xyz.sun.com:80/abc/def http://xyz.sun.com:80/abc//def

And while we're on the subject of wild things, think of X, the seminal punk band of all time. The song in this video isn't one they wrote (for that you'd have to check out Johnny Hit and Run Paulene, Nausea or Los Angeles) but it does segue nicely. Here's X covering The Trogg's (not Tone-Loc's) Wild Thing. And that's Chuck Berry on stage at the video's end - a wild thing in his own right.

UPDATE: For more information on policy logic and wildcards see the following entries:

• Policy Logic in OpenSSO
• The One-Level Wildcard for Policy Logic

Posted at 07:13AM Mar 05, 2008 by Michael Teger in Sun  |  Comments[4]