J2ee policy agent + Access Manager sample

Similar Messages

• J2ee policy agent sample aplication

  Hello,
  i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
  I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
  Thank you very much for any advise.
  -Eugen

  Hello,
  i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
  I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
  Thank you very much for any advise.
  -Eugen

• J2EE Policy Agent

  I have read about a J2EE policy agent for the identity server. Does such thing exist?
  I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app.
  How can this be achieved? Would it involve creating a custom JAAS LoginModule for the appserver? I had issues with trying to install some of the identity server Servlets in a normal webapp running in tomcat due to the amserver.propries and the cryto libs for the JAAS.

  Hi Aaron,
  Let me take a stab at this and answer to the best of my ability.
  Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
  I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
  ** The next release of identity server would be supporting JAAS authentication module.
  ** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today.

• J2EE policy agent notice

  Please note that as of July 27,2005; Sun JCE 1.2.1 has expiried. Detail see following url.
  http://jp.sunsolve.sun.com/search/document.do?assetkey=1-26-101796-1&searchclause=
  We have evaluated the impact and the following J2EE agents will stop functioning as of this date.
  1. J2EE policy agent for BEA WebLogic Server 6.1 SP2 : Solaris/HP-UX/Win2000 [version 2.1 and 2.1.1]
  2. J2EE policy agent for PeopleSoft 8.3/8.4/8.8 : Solaris/Win2000/AIX 5.1,5.2 [version 2.1 and 2.1.1]
  Both these agents should stop fully functioning as of 27th July/05. Please follow the steps listed below to rectify the situation :
  1. Download JCE 1.2.2 from URL : http://java.sun.com/products/jce/index-122.html
  2. Once you download the zip file, extract the following jar files
  * US_export_policy.jar
  * local_policy.jar
  * jce1_2_1.jar
  * sunjce_provider.jar
  3. Replace the four JCE lib jars in the agent installation with the jars downloaded from JCE 1.2.2
  Please note that excepting the two agents mentioned above will be affected; all other agent installations should not be impacted with the expiration of Sun JCE 1.2.1. Thanks, Jerry

  Hi Aaron,
  Let me take a stab at this and answer to the best of my ability.
  Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
  I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
  ** The next release of identity server would be supporting JAAS authentication module.
  ** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today.

• J2EE Policy Agent Jars

  Hi,
  Could anyone who has installed a J2EE Policy Agent please send me the following jar files zipped up. My email address is [email protected] thanks for your help.
  /opt/SUNWam/j2ee_agents/lib/am_agent_sdk_2_1.jar
  /opt/SUNWam/j2ee_agents/lib/am_agent_filter_2_1.jar
  /opt/SUNWam/j2ee_agents/lib/am_as81_agent_2_1.jar

  Hi Aaron,
  Let me take a stab at this and answer to the best of my ability.
  Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
  I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
  ** The next release of identity server would be supporting JAAS authentication module.
  ** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today.

• Difference between web policy agent and j2ee Policy agent ?

  Difference between web policy agent and j2ee Policy agent ?

  http://docs.sun.com/app/docs/doc/820-5816/ghscr?a=view

• J2EE Policy agent - login page config questions

  Hi,
  I'm trying to configure a customized login page for an application that is protected by a AM Policy Agent 2.2-01 on SJSAS 8.2.
  I am aware of this link:
  http://docs.sun.com/app/docs/doc/820-2539/gatai?l=en&a=view .
  This describes configuring the custom login for an app. Based on the doc, I have configured the following:
  1. I have the agent and my app on one instance on myhost.mydomain.com
  2. A url policy is protecting my app, configured in Access Manager 7.1. The url is http://myhost.mydomain.com:38080/myapp/*
  3. In my app's web.xml I have the following:
    <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/loginerror.jsp</form-error-page>
          </form-login-config> 4. In AMAgent.properties:
  com.sun.identity.agents.config.login.form[0] = /myapp/login.jsp
  com.sun.identity.agents.config.login.error.uri[0] = /myapp/loginerror.jsp
  com.sun.identity.agents.config.login.use.internal = false
  com.sun.identity.agents.config.login.content.file = FormLoginContent.txtThere doesnt seem to be any change in login page when I go to my app. It just redirects to the Access Manager login page, and when I login it redirects back to the app. The security behavior is correct but I would like the login page to be unique for the app.
  So my questions are:
  1. Am I using com.sun.identity.agents.config.login.use.internal correctly? I dont want it to use internal login, but my login file, right?
  2. My login page is protected by my url policy. Is that a problem? Should I be using com.sun.identity.agents.config.notenforced.uri[0] on the login page?
  3. Can anyone clarify to me exactly how and where the contents of FormLoginContent.txt is used?
  I'm kind of new to AM and Policy Agents, so i apologize if my questions seem very newb. Any help is appreciated. Thanks!
  -Matt

  Changing com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
  -Matt

• Authorization issue with J2EE Policy Agent for AS7

  Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
  <filter>
  <filter-name>Agent</filter-name>
  <display-name>Agent</display-name>
  <description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
  <filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>Agent</filter-name>
  <url-pattern>/*</url-pattern>
  </filter-mapping>
  The two resources /customer and /admin are subjected security constraints like:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>col2</web-resource-name>
  <url-pattern>/customer</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>customer</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  The role-to-principal mapping is done in the sun-web.xml like:
  <security-role-mapping>
  <role-name>customer</role-name>
  <group-name>customer</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  <security-role-mapping>
  <role-name>admin</role-name>
  <group-name>admin</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
  The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
  [21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
  [21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
  Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
  return the correct grops viz. customer,admin,anyone.
  PLEASE HELP

  -- Second Update --
  After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
  1. Some URL's has to be defined as not enforced.
  com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
  com.sun.am.policy.amFilter.notenforcedList[2]=*.css
  com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
  2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
  /opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
  byPassSignon=TRUE
  defaultUserid="DEFAULT_USER"
  defaultPWD="your password"
  signon_page=amsignin.html
  signonError_page=amsignin.html
  logout_page=amsignin.html
  expire_page=amsignin.html
  However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
  Allow Public Access (cheked)
  User ID : DEFAULT_USER
  Password : your password
  HTTP Session Inactivity : (SSO TIMEOUT)
  and:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
  In section "SignOn/Logout" set the following values:
  Signon Page : amsignin.html
  Signon Error Page : amerror.html
  Logout Page : amsignout.html
  Note: After making any changes on the console; restart PIA (weblogic instance).
  With this the SSO with PeopleSoft is working Ok.
  Message was edited by:
  LpzYlnd

• Do I have to configure realm policy in Access Manager for IDM SPML Request

  Hi all,
  I wanted to run a SPML request from my application to the IDM which is presently protected by an AM server. Somehow, I get the following error, while I run a search using SpmlClient:
  org.openspml.util.SpmlException: Unsupported response content type "text/html", must be: "text/xml".
  Do I have to set a policy in Sun Access manager for the realm? Guys, pls help.
  Thanks,
  Aneesh.

  > I believe as long as you have access to the above two you can turn the CA off if you want.
  Enterprise CAs are not intended to be offline. Therefore, you should not turn off them. If these root CAs issue certificates only to subordinate CAs, then you should consider to implement offline Standalone (not Enterprise) Root CAs.
  > I believe the location of the CRL is detailed in the CDP which is detailed on the Certs issued but a given CA, so the client can look in the Cert and see what it states about the CDP and thereby get the list of revoked certs.
  this is correct.
  > to place its CDP at a location other than the  default location in case it overwrites the existing CRL at the default location
  no, CDP locations should be defined in the post-installation script.
  > does the fully qualified X500 name of the CDP include the CA Name (and therefore be unique) and it will not over write the original
  yes, LDAP URL includes CA server's NetBIOS name to differentiate between CAs.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Sun Access Manager Sample

  I have been trying to run one of the samples supplied with Access manager 2005q, namely the authentication samlpe in /SUNWam/samples/authentication/spi/providers.
  The sample seems to compile fine (after changing the encoding used). The question I have is what to do next? Following the text in the developers guide and readme, it says to move the .jar file to SUNWam/web-src/services/WEB-INF/lib and the .xml file to SUNWam/web-src/services/WEB-INF/lib.
  Im running access manager on a web-server, so i then rload amserver.war on the server, change the servers classpath so that the new .jar (LoginModuleSample.jar) file is there and restart the server.
  Am I missing something in this process? The auth module never seems to work, either giving me an authentication failed message, or an internal authentication error.
  Thanks for any help
  Keano

  Hi Keano,
  I don't know what steps you are missing but you can try the below example:
  http://developers.sun.com/prodtech/identserver/reference/techart/authentication.html
  Thanks,
  Raj

• What does the LoginModule sample do in the Access Manager samples

  hi,
  thanks for reading my question. I just wanted to know what the Login Module sample shows to a user.
  thanks
  dhawanmayur

  Hi Lars,
  Would the information in the link below help you?
  https://websmp208.sap-ag.de/~sapidb/011000358700002294272006E
  From what I understand, the only thing that Service Connector does is to "give the approval and the connection parameters" to your local SAP Router to initiate a network tunnel between your local SAP Router and SAP's SAP Router.
  I hope this helps.

• NSAPI in Access Manager & Policy Agent

  Hi all,
  May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
  I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
  I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
  Thanks in advance!

  Hi all,
  May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
  I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
  I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
  Thanks in advance!

• Securing web services with Sun Access Manager

  Hi!
  I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
  What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
  I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
  I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
  My questions are:
  1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
  2) Are there any documentation/tutorials/etc?
  Thanks in advance :-)
  Anders

  what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
  the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
  So.. having said that. here's what I'd recommend.
  1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
  2. configure it to use your access manager instance for authentication.
  3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
  4. voila... your webservices are not "protected" by acces manager ;-)

• Error 403 returned from WebSphere running Policy Agent

  Hi,
  I'm getting an error 403 (forbidden) in my browser when I try to access a URL that I have protected using a Policy that I have setup in SAM.
  My configuration is as follows:
  Sun Access Manager 6 2005Q1 on Solaris
  WebSphere AppServer 5.1.1.5 on Win 2000
  WebSphere 5.0 Policy Agent 2.1 on Win 2000
  At the moment, all I'm trying to do is protect a URL which is contained in a simple WAR file which I have deployed on WAS.
  As per the J2EE Policy Agents guide, I have installed the Agent Filter by adding the following into web.xml
  <web-app>
  <display-name>...</display-name>
  <description>...</description>
  <filter>
  <filter-name>Agent</filter-name>
  <display-name>Agent</display-name>
  <description>SunTM ONE Identity Server Policy Agent</description>
  <filter-class>com.sun.identity.agents.websphere.AmWAS50AgentFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>Agent</filter-name>
  <url-pattern>/*</url-pattern>
  </filter-mapping>
  </web-app>
  I've switched on Global Security in WAS and successfully logged back into the WebSphere Console using amldapuser. This confirms that the Agent Realm is working correctly.
  In SAM I set up a Policy with a Rule that specified the URL I want to protect. I added a Subject to this Rule of type LDAP User. The user I chose was amadmin (for the moment).
  I also configued an Agent with agentRootURL=http://<WAS fully qualified domain name>:9080/
  When I try to access the URL of the servlet in the WAR, I am redirected to the SAM's login page
  http://<SAM fully qualified domain name>/amserver/UI/Login?goto=http%3A%2F%2F<WAS fully qualified domain name>%3A9080%2FRoamingApp%2FRoaming
  However, when I enter the amadmin/ <password> error 403 is returned to the browser.
  I've checked the logs on SAM
  From amAuthentication.access
  "2005-07-28 11:58:15" "Login Success" LDAP dc=acme,dc=com INFO uid=amAdm
  in,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=DSAME Users,dc=acme,
  dc=com" <WAS IP address>
  From amSSO.access
  "2005-07-28 11:58:15" "SESSION CREATE" amSSO.access dc=acme,dc=com I
  NFO uid=amAdmin,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=
  DSAME Users,dc=acme,dc=com" <WAS IP address>
  From agent.log (Policy Agent on Win 2000)
  [Thursday, July 28, 2005 11:58:15 AM BST] [null]
  Access to http://<WAS fully qualified domain name>:9080/RoamingApp/Roaming denied for user UNKNOWN
  Perhaps I dont have the Policy in SAM configured correctly..... if anyone has come across this kind of problem before, I would greatly appreciate any help they can give me.
  Thanks,
  Justin

  Thanks for getting back to me Jerry.
  I had a look at the role-to-principal mappings you suggested. To do this I added a security constraint to my web.xml file.
  Then I reconfigured WebSphere so that the Active User Registry = LDAP instead of Custom. This allowed me to assign the LDAP group (in SAM) to the role (in web.xml). WAR file installed fine with these new bindings and I restarted WAS.
  Unfortunately, I'm still getting Error 403 in the browser!
  Any ideas as to what I might be doing wrong? Any help you can give me would be much appreciated.
  This is the amFilter log file from the Policy Agent...
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  AmFilter: incoming request =>
  HttpServletRequest: class => com.ibm.ws.webcontainer.srt.SRTServletRequest@1af52898
       Character Encoding     : null
       Content Lenght          : -1
       Content Type          : null
       Locale               : en_IE
       Accept Locales:
            en_IE
       Protocol          : HTTP/1.1
       Remote Address          : 172.20.13.96
       Remote Host          : 172.20.13.96
       Scheme               : http
       Server Name          : dubwrk1589.ie.pri.o2.com
       Server Port          : 9080
       Is Secure          : false
       Auth Type          : null
       Context Path          : /RoamingApp
       Cookies:
            amFilterParam: AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=
            amFilterRDParam: AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=
            WASReqURL: http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming
            JSESSIONID: 0000HRZTVpt84dvtjaLaKWBnwzu:-1
       Headers:
            accept:
                 image/gif
                 image/x-xbitmap
                 image/jpeg
                 image/pjpeg
                 application/msword
                 application/vnd.ms-excel
                 application/vnd.ms-powerpoint
                 application/x-shockwave-flash
            referer:
                 http://sam.digifone.com/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
            accept-language:
                 en-ie
            cookie:
                 amFilterParam=AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=; amFilterRDParam=AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=; WASReqURL=http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming; JSESSIONID=0000HRZTVpt84dvtjaLaKWBnwzu:-1
            accept-encoding:
                 gzip
                 deflate
            user-agent:
                 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
            host:
                 dubwrk1589.ie.pri.o2.com:9080
            connection:
                 Keep-Alive
            cache-control:
                 no-cache
       Method               : GET
       Path Info          : null
       Path Trans          : null
       Query String          : null
       Remote User          : null
       Requested Session ID     : 0000HRZTVpt84dvtjaLaKWBnwzu:-1
       Request URI          : /RoamingApp/login.jsp
       Servlet Path          : /login.jsp
       Session               : true
       User Principal          : null
       Attributes:
            com.ibm.servlet.engine.webapp.dispatch_type: forward
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  FQDNHandler: Incoming Server Name: [dubwrk1589.ie.pri.o2.com] Result: null
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  PatternRule{*/j_security_check}.matchString(/RoamingApp/login.jsp) => false
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  NotEnforcedListManager.isNotEnforced(/RoamingApp/login.jsp) => false
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  AmFilter: Login attempt number: 10
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  AmFilter: SSO Validation failed for null
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  AmFilter: Reseting Cookies in Response
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  WARNING: AmFilter: Login attempt number 10 failed for request URI: /RoamingApp/login.jsp
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  URLFailoverHelper: Checking if http://sam.digifone.com:80/amserver/UI/Login is available
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  URLFailoverHelper: URL http://sam.digifone.com:80/amserver/UI/Login is available
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  URLFailoverHelper: getAvailableURL() => http://sam.digifone.com:80/amserver/UI/Login
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  AmFilter: redirectURL is: http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  WARNING: AmFilter: redirect attempt limit reached for http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp, access will be denied
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  AmFilter: Using 403 forbidden to block access
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  getResource: id = 20004
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  AmFilter: result =>
  FilterResult:
       Status      : FORBIDDEN
       RedirectURL     : null
       RequestHelper:
            null
       Data:
            null
  07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
  getResource: id = 20008

• Configure security realm for external Access Manager in App server 8.1

  Hi All,
  I would like to protect my j2ee application using access manager running on an external host.
  I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
  external host & port of AM is:
  http://svrd234d.dnn.com.au:58765
  Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
  classname="com.sun.amagent.as.realm.AgentRealm"
  property name="jaas-context" value="agentRealm"
  property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
  property name="hostURL " value="http://svrd234d.dnn.com.au:58765"

  Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
  If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
  Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
  Jerry