The access control configuration determines which Authorization policies are used to allow access to resources. The application server must be configured to allow the J2EE Agent to enforce authorization:
After you have configured the J2EE server for authorization, you need to configure the J2EE Agent for access control:
In the Administration Console, click > .
In the section, select one or more of the following:
Enforce application server policy: Allows access based on the policy of the application server. These policies are defined on the application server in a web.xml file for a .war file and in a ejb-jar.xml file for a .jar file.
IMPORTANT:If you select this option and you are using a JBoss server, see Section 4.2.2, Configuring Security Constraints for additional information.
Enforce additional authorization policies: Allows access based on the policies assigned to the protected resources. If you do not configure any protected resources, users are denied access to all resources. If a resource does not match any of the protected resource configurations, all users are denied access to that resource.
You can enable both of these options, only one, or none. If you select neither, any user can access the resources on the application server.
If you select only the J2EE Agent policies for authorization and you disable the option, remember that authentication is triggered by the Web page for a .jar file and by the web.xml file for a .war file.
IMPORTANT:Do not disable until you have configured and tested the J2EE Agent policies and know that they are enforcing the security you require and that users have access to the resources they require.
If you decided to use just the application server policies, click , then click > .
or
If you enabled , click and continue with one of the following: