J2EE Agent Filter Modes

The agent installation program and the agent property labeled Agent Filter Mode (com.sun.identity.agents.config.filter.mode) allow you to set the agent filter in one of the five available modes of operation. Depending upon your security requirements, choose the mode that best suits your site's deployment.

The value for the Agent Filter Mode property can be one of the following:

• NONE

• SSO_ONLY

• J2EE_POLICY

• URL_POLICY

• ALL

The sections that follow describe the different agent filter modes.

J2EE Agent Filter Mode-NONE

This mode of operation effectively disables the agent filter. When operating in this mode, the agent filter allows all requests to pass through. However, if the logging is enabled, the agent filter will still log all the requests that it intercepts.

This mode is provided to facilitate development and testing efforts in a controlled development or test environment. Do not use this mode of operation in a production environment at any time.

When the agent filter is operating in this mode, any declarative J2EE security policy or programmatic J2EE security API calls will return a negative result regardless of the user.

J2EE Agent Filter Mode - SSO_ONLY

This is the least restrictive mode of operation for the agent filter. In this mode, the agent simply ensures that all users who try to access protected web resources are authenticated using OpenSSO Enterprise Authentication Service.

When operating in this mode, any declarative J2EE security policy or programmatic J2EE security API calls evaluated for the application will result in negative evaluation.

J2EE Agent Filter Mode - J2EE_POLICY

In this mode, the agent filter and agent realm work together with variousOpenSSO Enterprise services to ensure the correct evaluation of J2EE policies.

You can set these policies either in the application's deployment descriptors or, in cases where the application uses the J2EE programmatic security APIs, in the application code. URL policies that are defined in OpenSSO Enterprise do not take effect in this mode. If the application uses declarative security in the Web tier, you must configure the agent to enable that feature. See Enabling Web-Tier Declarative Security in J2EE Agents for more information on how to enable this feature. While running in the J2EE_POLICY mode, the Policy Agent ensures that the security principal is set in the system for all authorized accesses.

J2EE Agent Filter Mode - URL_POLICY

In the URL_POLICY mode, the agent filter enforces the URL policies that are defined in OpenSSO Enterprise.

When the agent filter is in the URL_POLICY mode, the agent does not enforce any applicable J2EE declarative security policies. Such policies along with any calls to J2EE programmatic security API return negative results.

J2EE Agent Filter Mode - ALL

This is the most restrictive mode of the agent filter. In this mode, the filter enforces both J2EE policies and URL policies as defined in OpenSSO Enterprise. This mode of operation requires that the agent realm be configured in the deployment container. When running in the ALL mode, the agent ensures that the security principal is set in the system for every authorized access.

The ALL mode is highly recommended for deployed production systems.