Protecting Web and Enterprise JavaBeans Modules689novdocx (en) 16 April 20106Protecting Web and EnterpriseJavaBeans ModulesThe J2EE Agent mechanisms for protecting Web and EJB (Enterprise JavaBeans) modules have farmore granularity than what you can configure on the J2EE application server. With the agent, youcan be selective of what you are protecting. For a Web application, you can select to protect aspecific page or group of pages. For an Enterprise JavaBean, you can select to protect a bean, aninterface, a method, or a parameter. After selecting the granularity of the resource you want toprotect, you can then configure a policy that grants access to this resource. You can use roles as partof this policy, but you can refine it by using other criteria such as LDAP attributes, credential profileattributes, or the day of the week.The J2EE Agent also allows you to decide how you want the authorization to be handled. You canuse the security settings configured on the application server, use the Authorization policiesconfigured on the J2EE Agent, or use both methods.The following sections explain how to set up security for your J2EE resources: Section 6.1, “Configuring Access Control,” on page 89 Section 6.2, “Protecting Web Resources,” on page 90 Section 6.3, “Protecting Enterprise JavaBeans Resources,” on page 926.1 Configuring Access ControlThe access control configuration determines which Authorization policies are used to allow accessto resources. The application server must be configured to allow the J2EE Agent to enforceauthorization: Section 4.2, “Configuring Applications on the JBoss Server,” on page 69 Section 4.3, “Configuring Applications on the WebSphere Server,” on page 71 Section 4.4, “Configuring Applications on the WebLogic Server,” on page 84After you have configured the J2EE server for authorization, you need to configure the J2EE Agentfor access control:1 In the Administration Console, click Devices > J2EE Agents > Edit.2 In the Access Control Configuration section, select one or more of the following:Enforce application server policy: Allows access based on the policy of the applicationserver. These policies are defined on the application server in a web.xml file for a .war file andin a ejb-jar.xml file for a .jar file.IMPORTANT: If you select this option and you are using a JBoss server, see Section 4.2.2,“Configuring Security Constraints,” on page 70 for additional information.