The agent filter can be installed by modifying the deployment descriptor of the application that needs to be protected.
By default, only the Manager web application and the administration web application are protected when the agent filter is in the J2EE_POLICY mode.
The following steps explain how to install the agent filter for the application you want the agent to protect:
To install the agent filter, ensure that the application is not currently deployed on Apache Tomcat Servlet/JSP Container.
If it is currently deployed, remove it before proceeding any further.
Create the necessary backup files for the deployed application's deployment descriptors.
Since you will modify the deployment descriptor in the next step, creating backup files at this point is important.
(Conditional) If the agent filter is not deployed in the global deployment descriptor, modify the deployed application's deployment descriptor by editing the application's web.xml descriptor.
Add the <filter> element by adding the following lines:
<filter> <filter-name>Agent</filter-name> <display-name>Agent</display-name> <description>Identity Server Policy Agent Filter</description> <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class> </filter>
Add the <filter-mapping> element by adding the following lines:
<filter-mapping> <filter-name>Agent</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping>
If you want to protect your application with J2EE declarative security, you must first perform the tasks described in Configuring J2EE Declarative Security for Apache Tomcat Servlet/JSP Container—Related Web Applications. You can also access the sample application in the PolicyAgentBase/sampleapp directory to learn how to build and deploy an application. The sampleapp directory is by no means a full fledged J2EE application. Rather it is a simple application that provides you with a quick reference to application specific deployment descriptors and various deployment modes of a J2EE agent. Once you successfully deploy the sampleapp and test all of its features, you can use it as a reference to other applications that will be protected by the J2EE agent.
Once the web.xml deployment descriptor is modified to reflect the new <DOCTYPE> and <filter> elements, the agent filter is added to the application. You can now redeploy your application on Apache Tomcat Servlet/JSP Container.
Ensure that role-to-principal mappings in container specific deployment descriptors are replaced with Access Manager roles or principals. You can retrieve Access Manager roles or principals for Access Manager 7 by issuing the agentadmin --getUuid command. For more information on the agentadmin --getUuid command, see agentadmin --getUuid.
You can also retrieve the universal ID for the user (UUID) using Access Manager 7 Console to browse the user profile.