J2EE policy agent fails to log when the log action is LOG_DENY (6729386) (Sun Java System Access Manager Policy Agent 2.2 Release Notes)

Sun Java System Access Manager Policy Agent 2.2 Release Notes

Previous: J2EE_POLICY and ALL filter modes do not work on 2.2-02 J2EE Agent on Oracle Application Server 10g (6790321)
Next: Performance issue resolved for policy agent (6768406)

J2EE policy agent fails to log when the log action is `LOG_DENY` (6729386)

For a J2EE agent, the Audit Log properties in AMAgent.properties are set as:

com.sun.identity.agents.config.audit.accesstype = LOG_DENY
com.sun.identity.agents.config.log.disposition = ALL

If a user for whom the access is denied to a J2EE protected resource tries to access a the resource in a deployed application, access to the protected resource is denied, but there is no entry in the logs for the deny action on either the Access Manager or J2EE agent side.

Workaround. None. This is a limitation of the product. For a J2EE policy to be evaluated, the control is given to the web container on which the agent is deployed, to determine the access policies. The web container doesn't send the access decision back to the agent for a resource that is protected with J2EE security policies. The web container just denies the access, and the agent cannot effectively log when the access is denied.