J2EE Agent Filter Modes

The agent installation program and the J2EE agent AMAgent.properties configuration file allow you to set the agent filter in one of the five available modes of operation. Depending upon your security requirements, choose the mode that best suits your site's deployment. The following configuration property is used to control the mode of the agent filter:

com.sun.identity.agents.config.filter.mode

The value for this property can be one of the following:

• NONE

• SSO_ONLY

• J2EE_POLICY

• URL_POLICY

• ALL

Regardless of what mode the agent filter is operating in, the agent realm will continue to function, if configured. This can therefore lead to a situation where the agent realm component may malfunction or may result in the negative evaluation of J2EE security policies configured in the application's deployment descriptors or being used through the J2EE programmatic security API. To avoid this, disable the agent realm component, if necessary. The sections that follow describe the different agent filter modes.

J2EE Agent Filter Mode-NONE

This mode of operation effectively disables the agent filter. When operating in this mode, the agent filter allows all requests to pass through. However, if the logging is enabled, the agent filter will still log all the requests that it intercepts.

This mode is provided to facilitate development and testing efforts in a controlled development or test environment. Do not to use this mode of operation in a production environment at any time.

Although this mode disables the agent filter from taking any action on the incoming requests other than logging, it has no effect on the agent realm that may still be configured in your deployment container and may get invoked by the deployed application if the deployed application has J2EE security policies in its descriptors or uses programmatic security.

When the agent filter is operating in this mode, any declarative J2EE security policy or programmatic J2EE security API calls will return a negative result regardless of the user.

J2EE Agent Filter Mode - SSO_ONLY

This is the least restrictive mode of operation for the agent filter. In this mode, the agent simply ensures that all users who try to access protected web resources are authenticated using Access Manager Authentication Service.

When operating in this mode, any declarative J2EE security policy or programmatic J2EE security API calls evaluated for the application will result in negative evaluation.

J2EE Agent Filter Mode - J2EE_POLICY

In this mode, the agent filter and agent realm work together with variousAccess Manager services to ensure the correct evaluation of J2EE policies. These policies may be configured using the declarative security in the application's deployment descriptors, or may be implicit in the code of the application in the cases where it uses the J2EE programmatic security APIs. No URL policies defined in Access Manager take effect in this mode of filter operation. When the deployed application uses declarative security in the web-tier, you must configure the agent to enable this feature. See Enabling Web-Tier Declarative Security in J2EE Agents for more information on how to enable this feature. When running in the J2EE_POLICY mode, the agent ensures that the security principal is set in the system for every authorized user access. In the J2EE_POLICY mode, the agent will not enforce any applicable URL policies as defined in Access Manager.

J2EE Agent Filter Mode - URL_POLICY

In this mode, the agent filter is used to enforce various URL policies that may be defined in Access Manager.

When the agent filter is in the URL_POLICY mode, the agent does not enforce any applicable J2EE declarative security policies. Such policies along with any calls to J2EE programmatic security API return negative results.

J2EE Agent Filter Mode - ALL

This is the most restrictive mode of the agent filter. In this mode, the filter enforces both J2EE policies and URL policies as defined in Access Manager. This mode of operation requires that the agent realm be configured in the deployment container. When running in the ALL mode, the agent ensures that the security principal is set in the system for every authorized access.

This mode of operation is, with very few exceptions, the preferred mode for deployed production systems.