0

GlassFish, Policy Agent, OpenAM, Portal on Spring:

I have a task to prevent access to Access manager from some blocked users (users are blocked dynamically by using portal), so that they could not connect to it and overload AM. After some googleing I understood that I need to prevent access to Access manager on Policy Agent step (may be I am wrong), I found that it is possible to add filters into web.xml.

So I add custom filter which redirects blocked users to another page:

<filter>
    <filter-name>denyBlockedUsers</filter-name>
    <filter-class>some.portal.servlets.DenyBlockedUsers</filter-class>
</filter>

<filter-mapping>
    <filter-name>denyBlockedUsers</filter-name>
    <url-pattern>/locked/*</url-pattern>
</filter-mapping>

Everything works fine.

For AM I have filter:

<filter>
    <filter-name>Agent</filter-name>
    <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
</filter>

Question: is it really will not connect to Access manager before this filter? How can I check it? Logs?

yons88
  • 439
  • 2
  • 5
  • 20

2 Answers2

1

Filter one you can do the following.

If request is from blocked user then first filter itself can fwd to another error page like blockeduser.jsp else fwd to filter 2(/agent/*).

<filter>
    <filter-name>
      denyBlockedUsers
    </filter-name>
    <filter-class>
      some.portal.servlets.DenyBlockedUsers
    </filter-class>
  </filter>

  <filter>
    <filter-name>
      Agent
    </filter-name>
    <filter-class>
      com.filters.Filter2
    </filter-class>
  </filter>


  <!-- Map the filter to a Servlet or URL -->

  <filter-mapping>
    <filter-name>
      denyBlockedUsers
    </filter-name>
    <url-pattern>
      /locked/*
    </url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>
      Agent
    </filter-name>
    <url-pattern>
      /agent/*
    </url-pattern>
  </filter-mapping>
sreemanth pulagam
  • 925
  • 9
  • 24
0

If 'Access Manager' is OpenAM then AgentFilter MUST NOT be run in the same container.

Typically the 'Access Manager' performs authentication ... so you can you block someone you don't know? To know someone's Identity authentication has to be perform.

You may explain you're use case in detail though.

Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7