Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0

How Web Agents Work

When a user points a browser to a particular URL on a protected deployment container, a variety of interactions take place as explained in the following numbered list. See the terminology list immediately following this numbered list for a description of terms.

  1. The web agent intercepts the request and checks information from the request against not-enforced lists. If specific criteria are met, the authentication process is by passed and access is granted to the resource.

  2. If authentication is required, the web agent validates the existing authentication credentials. If the existing authentication level is insufficient, the appropriate Access Manager Authentication Service will present a login page. The login page prompts the user for credentials such as username and password.

  3. The authentication service verifies that the user credentials are valid. For example, the default LDAP authentication service verifies that the username and password are stored in Sun Java System Directory Server. You might use other authentication modules such as RADIUS and Certificate modules. In such cases, credentials are not verified by Directory Server but are verified by the appropriate authentication module.

  4. If the user’s credentials are properly authenticated, the web agent checks if the users is authorized to access the resource.

  5. Based on the aggregate of all policies assigned to the user, the individual is either allowed or denied access to the URL.

Terminology: How Web Agents Work

Authentication Level

The ability to access resources can be divided into levels. Therefore, different resources on a deployment container (such as a web server or proxy server) might require different levels of authentication


Access Manager is made of many components. A service is a certain type of component that performs specific tasks. Some of the Access Manager services available are Authentication Service, Naming Service, Session Service, Logging Service, and Policy Service.

Authentication Module

An authentication interface, also referred to as an authentication module, is used to authenticate a user on Access Manager.


Roles are a Directory Server entry mechanism. A role's members are LDAP entries that possess the role.


A policy defines rules that specify access privileges to protected resources on a deployment container, such as a web server.