Login: The Identity Server supports a variety of contracts that can be used for logging in. You need to create a contract that is compatible with the J2EE server, if it has been configured to verify login credentials. You can select an Any Contract option, but if you configure the J2EE Agent to use this option, be sure that all defined contracts are compatible with the J2EE server. If a user logs into another Access Manager resource with a contract that is not compatible, the Any Contract option allows the J2EE Agent to accept those login credentials, but the J2EE server denies access.

Access Manager Authorization Policy: To enable an Access Manager authorization policy, you must select the Enforce additional authorization policy option, create a protected resource, create a policy for the resource, then enable the policy.

Protected Resource: If you have enabled the Enforce additional authorization policy option but have not created a protected resource that matches the requested application URL or JavaBean, the user is denied access to the resource.

Web Authorization Policy or Enterprise JavaBean Authorization Policy: If the only requirement you have for granting access is authentication, you should create a policy that grants access based on the authenticated role. All users are assigned this role when they successfully authenticate to the Identity Server.

Application Server Authorization Policy: To enable the policies you have configured on the J2EE server, you must enable the Enforce application server policy option. You must also create Access Manager Role policies for the roles that you have configured the J2EE server to use for authorization. Depending upon the application, role names can be case sensitive, so when you create the role, make sure to use the case the application expects.