Agents are network entities that act as filters to enforce network access control or web access control. They are considered Policy Enforcement Points (PEPs). Agents monitor requests for resources. Users request protected resources. The agent prompts the user for credentials that are based on an authentication scheme. The agent sends the credentials to a Policy Server.
The Policy Server determines whether a user can be authenticated based on the credentials, and whether the user is authorized for the requested resource. The Policy Server then communicates with the Agent, which allows or denies access to the requested resource.
Web Agents, Affiliate Agents, EJB Agents, Servlet Agents, and RADIUS Agents are available by default. All other Agents are considered Custom Agents that must be created using the Agent APIs. Once created, you can configure Custom Agents in the Administrative UI.
Agents operate with web servers. When a user requests a page from the web server, the Web Agent communicates with the Policy Server. The agent processes the authentication and authorization requests before the user can access the resource. The Policy Server can also provide information for the agent to provide personalized for the user.
The following diagram illustrates the three most basic transactions that an Agent and Policy Server handle. These transactions can contain more detailed information to enable customized content and support other features of the product. The process is similar whenever a user attempts to access a resource through a web server that an agent manages.
The previous figure assumes that a user requests a protected resource for which the user is authorized. The agent checks with the Policy Server to determine whether the resource is protected. For protected resources, the agent gathers credentials from the user and forwards them to the Policy Server.
The Policy Server authenticates the user and informs the Web Agent that the user has been properly identified. Finally, the Web Agent determines whether the user is authorized for the resource by checking with the Policy Server. Once the Policy Server verifies authorization, the agent is notified. The agent allows the web server to display the protected resource to the user.
Agents that control the same resources and are of the same Agent type (all Web Agents, or all RADIUS Agents) can be grouped.
The remote Authentication Dial-In User Service (RADIUS) protocol exchanges session authentication and configuration information between Network Access Servers (NAS) and RADIUS authentication servers. Proxy services, firewalls, or dial-up security devices often use the RADIUS protocol.
A RADIUS Agent secures an entire application that communicates using the RADIUS protocol.
The Policy Server can be used as a RADIUS authentication server. RADIUS Agents allow the Policy Server to communicate with the NAS client devices.
The Application Server Agent is a collection of Java components that provide a full-featured agent for securing WebLogic and WebSphere application server resources. The Application Server Agent integrates the product with the J2EE platform.
The Application Server Agent can protect the following components:
The Application Server Agent is a single Agent. From the perspective of the Policy Server, there are different Agent types that protect application server resources. The Agent types offer the flexibility to protect servlets, and EJB components in the following ways:
WSS (formerly SOA) Agents integrate with web and application servers to authenticate and authorize requests for access to SOAP/XML-based web services resources on those servers.
|
Copyright © 2014 CA.
All rights reserved.
|
|