Not-Enforced URI List in J2EE Agents

Agents in the Policy Agent 3.0 software set allow you to specify a list of URIs that are treated as not-enforced. Access to these resources is always granted by the agent. The property labeled Not Enforced URIs (Tab: Application, Name: com.sun.identity.agents.config.notenforced.uri) controls the list.

If your deployed application has pages that use a bulk of graphics that do not need the agent protection, such content should probably be added to the agent’s not-enforced list to ensure the optimal utilization of the system resources. Following is an OpenSSO Enterprise Console example of the entries that you can specify in the not-enforced list:

/images/*

/public/*.html

/registration/*

This enables the agent to focus on enforcing access control only over requests that do not match these given URI patterns. The use of a wildcard (*) is allowed to indicate the presence of one or more characters in the URI pattern being specified. For more information about the use of wildcards with OpenSSO Enterprise and Policy Agent, see Appendix C, Wildcard Matching in Policy Agent 3.0 J2EE Agents.

Inverting the Not-Enforced URI List

In situations where only a small portion of the deployed application needs protection, you can configure the agent to do just that by inverting the not-enforced list. This results in the agent enforcing access control over the entries that are specified in the not-enforced list and allowing access to all other resources on the system. This feature is controlled by the property labeled Invert Not Enforced URIs (Tab: Application, Name: com.sun.identity.agents.config.notenforced.uri.invert).

When you enable this property, it changes the entries specified in the not-enforced list to enforced and the rest of the application resources are treated as not-enforced.

When the not-enforced list is inverted, the number of resources for which the agent will not enforce access control is potentially very large. The use of this feature should therefore be used with extreme caution and only after extensive evaluation of the security requirements of the deployed applications.

• When an access denied URI is specified, it is never enforced by the agent regardless of the configuration of the not-enforced list. Therefore, when a URI is listed as a value for the property labeled Resource Access Denied URI (Tab: Application, Name: com.sun.identity.agents.config.access.denied.uri), that resource is displayed when applicable by the agent whether or not that URI is listed as a value for the properties labeled Not Enforced URIs or Invert Not Enforced URIs. This behavior is necessary to ensure that the agent can use the access denied URI to block any unauthorized access for protected system resources.

• When configuring access denied URIs within the deployment descriptor of the web application, you must ensure that these values are added to the not-enforced list of the agent. Failing to do so can result in application resources becoming inaccessible by the user.

• Any resource that has been added to the not-enforced list must not access any protected resource. If it does so, it can result in unauthorized access to protected system resources. For example, if a servlet that has been added to the not-enforced list, in turn sends the request to another servlet, which is protected, it can potentially lead to unauthorized access to the protected servlet.