Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Portal Server 6.0

Not-Enforced URI List in J2EE Agents

The J2EE agent AMAgent.properties configuration file allows you to specify a list of URIs that are treated as not-enforced. Access to these resources is always granted by the agent. The configuration property that controls this list is as follows:

com.sun.identity.agents.config.notenforced.uri

If the deployed application has pages that use a bulk of graphics that do not require agent protection, the best practice is to add such content to the agent’s not-enforced list to ensure the optimal utilization of the system resources. The following is an example of the entries that you may specify in the not-enforced list:

com.sun.identity.agents.config.notenforced.uri[0] = /images/*

com.sun.identity.agents.config.notenforced.uri[1] = /public/*.html

com.sun.identity.agents.config.notenforced.uri[2] = /registration/*

This enables the agent to focus on enforcing access control only over requests that do not match these given URI patterns. The use of a wildcard (*) is allowed to indicate the presence of one or more characters in the URI pattern being specified.

Inverting the Not-Enforced URI List

In situations where only a small portion of the deployed application requires protection, you can configure the agent to do just that by inverting the not-enforced list. This results in the agent enforcing access control over the entries that are specified in the not-enforced list and allowing access to all other resources on the system. This feature is controlled by the following property:

com.sun.identity.agents.config.notenforced.uri.invert

When you set the value to true for this property, it makes the entries specified in the not-enforced list as enforced entries and the rest of the application resources are treated as not-enforced.


Caution – Caution –

When the not-enforced list is inverted, the number of resources for which the agent will not enforce access control is potentially very large. The use of this feature should therefore be used with extreme caution and only after extensive evaluation of the security requirements of the deployed applications.



Note –