In this mode, the agent filter is used to enforce various URL policies that may be defined in Access Manager. This mode does not require the agent realm to be functional and can therefore be safely disabled. For information about disabling the agent realm, see Disabling the Agent Realm of Policy Agent 2.2 for Apache Tomcat Servlet/JSP Container.
When the agent filter is in the URL_POLICY mode, the agent does not enforce any applicable J2EE declarative security policies. Such policies along with any calls to J2EE programmatic security API return negative results.