Sun Java System Access Manager Policy Agent 2.2 Guide for BEA WebLogic Server/Portal 9.2

Installing the Agent Filter for the Deployed Application on Agent for BEA WebLogic Server/Portal 9.2

Much of the task described subsequently applies to both BEA WebLogic Server 9.2 and BEA WebLogic Portal 9.2. However, the most critical information required for performing this task is also provided separately inPortal: Deploying the Agent Application. If you would prefer to follow the simplified instructions, see that section.

The agent filter can be installed by modifying the deployment descriptor of the application that needs to be protected.

ProcedureTo Install the Agent Filter for the Deployed Application on Agent for BEA WebLogic Server/Portal 9.2

The following steps explain how to install the agent filter for the application you want the agent to protect:

  1. (Conditional) If the application is currently deployed on BEA WebLogic Server/Portal 9.2, remove it before proceeding any further.

  2. Create the necessary backups before proceeding to modify these descriptors.

    Since you will modify the deployment descriptor in the next step, creating backup files at this point is important.

  3. Edit the application’s web.xml descriptor.

    The filters were introduced in Servlet Specification 2.3. For more information about this specification, see

    The <DOCTYPE> element of the web.xml descriptor must be changed to reflect that the deployment descriptor is, at minimum, a Servlet 2.3 compliant deployment descriptor. To reflect this compliance perform the following substeps.

    1. Set the <DOCTYPE> element as follows:

      <!DOCTYPE web-app PUBLIC 
      "-//Sun Microsystems, Inc.//DTD Web Application2.3//EN"
    2. Add the <filter> elements in the deployment descriptor by specifying the <filter> and the <filter-mapping> elements immediately following the description element of the <web-app> element in the descriptor web.xml.

      The following is a sample web.xml descriptor with the <filter> and the <filter-mapping> elements added:


    Ensure that the agent filter element precedes all the other <filter> elements. Similarly, the filter mapping element should be before all the other <filter-mapping> elements. In practice, the agent filter should first intercept the request to properly enforce policies on the whole application.

    Once the web.xml deployment descriptor is modified to reflect the new <DOCTYPE> and <filter> elements, the agent filter is added to the application. You can now redeploy your application on BEA WebLogic Server/Portal 9.2.

Focus on BEA WebLogic Server 9.2

Note –

The rest of this section focuses on BEA WebLogic Server 9.2, not on BEA WebLogic Portal 9.2. For information specific to the web.xml deployment descriptor regarding BEA WebLogic Portal 9.2, see Portal: Installing the Agent Filter for the Deployed Application on Agent for BEA WebLogic Server/Portal 9.2.

If you want to protect your application with J2EE declarative security or with any other filter modes, such as ALL or URL_POLICY, refer to the PolicyAgent-base/sampleapp directory to learn how to build and deploy an application. The sampleapp directory is by no means a full fledged J2EE application. Rather it is a simple application that provides you with a quick reference to application specific deployment descriptors and various deployment modes of a J2EE agent. Once you successfully deploy sampleapp and test all of its features, you can use it as a reference to other applications that will be protected by the J2EE agent.

Note –

If you run this agent in J2EE_POLICY mode, map Access Manager roles to the principal names for the deployed application. The principal names are available in the weblogic.xml file and the weblogic-ejb-jar.xml file. Either or both of these files might exist.

You can retrieve Access Manager roles by issuing the agentadmin --getUuid command. For more information on this command, see agentadmin --getUuid. You can also retrieve the universal ID for the user (UUID) using the Access Manager 7 Console to browse the user profile.

Mapping that converts Access Manager roles to principal names is performed by configuring the following property:


For more information on setting this property, see the following: