Resources are granted Authorization unexpectedly when using AAA Info File

Symptom

In this example, the AAA Info file specified the resource as "getCustomerData" based on an erroneous assumption that simple string comparison is used in the evaluation.

The intent was to allow authorization to a single resource by the name "getCustomerData" only.

However, since a PCRE expression is required here and PCRE matching is used in the evaluation (not string comparison), the authorization will succeed for any string containing "getCustomerData" such as "getCustomerDatabySSN" or "getCustomerDatabyAddress".

This debug level log shows the evaluation in detail and the authorization result:

20110802T143714Z [aaa][debug] wsgw(myGateway):tid(87936704)[request][1.2.3.4]: Authorizing with xmlfile
20110802T143714Z [aaa][debug] wsgw(myGateway):tid(87936704)[request][1.2.3.4]: Matching Authorize entry:result="allow" InputCredential="BobsCredential" InputResource="getAccountNumber|getAccountBalance|getCustomerData"
20110802T143714Z [aaa][debug] wsgw(myGateway):tid(87936704)[request][1.2.3.4]: Found 1 matching Authorize entries for input-credential="BobsCredential" and input-resource="getCustomerDataByPhoneNumber"
20110802T143714Z [aaa][debug] wsgw(myGateway):tid(87936704)[request][1.2.3.4]: Cached Authorize entry
20110802T143714Z [aaa][info] wsgw(myGateway):tid(87936704)[request][1.2.3.4]: xmlfile authorization succeeded with credential 'aaa:OutputCredential=BobsCredential' for resource 'getCustomerDataByPhoneNumber'
20110802T143714Z [aaa][info] wsgw(myGateway):tid(87936704)[request][1.2.3.4]: Message allowed

Ensure resource specification in the AAA Info file is a PCRE expression. In some cases, delimiters such as (^) or ($) might be needed to achieve the desired evaluation. Check the PCRE specification for details.

In DataPower, debug-level logging can be enabled in the TroubleShooting panel, to provide sufficient details in the log about the evaluation results.