How J2EE Agents Work

All J2EE agents communicate with OpenSSO Enterprise by XML over HTTP. J2EE agents contain two main components: the agent realm and the agent filter. Together, these two components affect the operation of the deployment container and the behavior of protected applications on the deployment container.

• Agent Filter

  The agent filter is installed within the protected application and facilitates the enforcement of the security policies, governing the access to all resources within the protected application. Every application protected by the agent must have its deployment descriptors changed to reflect that it is configured to use the agent filter. Applications that do not have this setting are not protected by the agent and might malfunction or become unusable if deployed on a deployment container where the agent realm is installed.

  The agent realm and agent filter work in tandem with OpenSSO Enterprise to enforce J2EE security policies as well as OpenSSO Enterprise based URL policies for authentication and authorization of clients attempting to access protected J2EE applications.

  The agent provides a fully configured and ready-to-use client installation of OpenSSO Enterprise SDK for the deployment container. This SDK offers a rich set of APIs supported by OpenSSO Enterprise that can be used to create security-aware applications that are tailored to work in the security framework offered by OpenSSO Enterprise.

• Agent Realm

  The agent realm, which is installed as a deployment container-specific platform component, enables the deployment container to interact with principals stored in OpenSSO Enterprise. The deployment container then communicates with OpenSSO Enterprise about user profile information. The agent realm needs to be configured correctly for the agent to enforce J2EE security policies for protected applications.

Policy Decision Process for J2EE Agents

The figure that follows is a flow chart of the policy decision process for J2EE agents. This figure illustrates how a single request is processed. The chart is useful in that it demonstrates to some degree how J2EE agents function.

The chart illustrates possible scenarios that can take place when an end user makes a request for a resource. Therefore, the end user points a browser to a URL. That URL is a resource, such as a JPEG image, HTML page, JSP page, etc. When a resource is under the sphere of influence of the J2EE agent, the agent intervenes to varying degrees, depending on the specifics of the situation, checks the request, and takes the appropriate action, which culminates with the user either being allowed or denied access to the resource. The chart reflects the potential paths a request makes before finally being allowed or denied. Moreover the chart illustrates how the filter mode is involved in the resource-request process.

You can see how this J2EE agent-specific flow chart compares to the web agent flow chart as illustrated in Examples of the Policy Decision Process by Agent Type. The comparison gives a sense of how the two agent types differ in how they handle requests for resources.

Figure 2–1 J2EE Agents and the Policy Decision Process