When a user requests access to a resource protected by the J2EE Agent, the request flows through the policy enforcement points illustrated in Figure 8-1.
Figure 8-1 Access Control Flow
If users are not getting access to a resource when they should, you need to enable tracing (see Section 8.6, Viewing Log Files) and view the log files to determine where the error is occurring.
Login: The Identity Server supports a variety of contracts that can be used for logging in. You need to create a contract that is compatible with the J2EE server, if it has been configured to verify login credentials. You can select an
option, but if you configure the J2EE Agent to use this option, be sure that all defined contracts are compatible with the J2EE server. If a user logs into another Access Manager resource with a contract that is not compatible, the option allows the J2EE Agent to accept those login credentials, but the J2EE server will deny access.Access Manager Authorization Policy: To enable an Access Manager authorization policy, you must select the
option, create a protected resource, create a policy for the resource, then enable the policy.Protected Resource: If you have enabled the
option but have not created a protected resource that matches the requested application URL or JavaBean, the user is denied access to the resource.Web Authorization Policy or Enterprise JavaBean Authorization Policy: If the only requirement you have for granting access is authentication, you should create a policy that grants access based on the authenticated role. All users are assigned this role when they successfully authenticate to the Identity Server.
Application Server Authorization Policy: To enable the policies you have configured on the J2EE server, you must enable the
policy option. You must also create Access Manager Role policies for the roles that you have configured the J2EE server to use for authorization. Depending upon the application, role names can be case sensitive, so when you create the role, make sure to use the same case as the application expects.