http://docs.sun.com/app/docs/doc/819-2143/6n4f0tger?a=view Web Agents
Web agents control access to content on web servers and proxy servers. The content that web agents can protect include a multitude of services and web resources based on policies configured by an administrator. When a user points a browser to a URL deployed on a protected web or proxy server, the agent intercepts the request and validates the user�s session token, if any exists. If the token�s authentication level is insufficient (or none exists), the appropriate Authentication Service is called for a login page, prompting the user for (further) authentication. The Authentication Service verifies that the user credentials are valid. For example, the LDAP service verifies that the user name and password are stored in an LDAP v3 compliant directory server, such as Sun Java System Directory Server. After the user�s credentials are properly authenticated, the agent examines all the roles and groups (which contain the policies) assigned to the user. Based on the aggregate of all policies assigned to the user, the individual is either allowed or denied access to the URL.
J2EE Agents
Access Manager provides agents for protecting J2EE applications in a variety of deployment containers, such as application and portal servers.
A J2EE policy agent can be installed for protecting a variety of hosted J2EE applications, which might require a varying set of security policy implementation. The security infrastructure of J2EE provides declarative as well as programmatic security that are platform-independent and are supported by all the J2EE-compliant servers. For details on how to use J2EE platform declarative as well as programmatic security, refer to J2EE documentation at
http://java.sun.com/j2ee. The agent helps enable role-to-principal mapping for protected J2EE applications with Access Manager principals. Therefore, at runtime, when a J2EE policy is evaluated, the evaluation is against the information available in Access Manager. Using this functionality, you can configure hosted J2EE applications so that they are protected by the J2EE agent, which provides real security services and other key features such as single sign-on. Apart from enabling J2EE security for hosted applications, J2EE agents also provide complete support for Access Manager based URL policies for enforcing access control over web resources hosted in deployment containers, such as an application servers.
While web agents and J2EE agents both work with Access Manager to implement authentication and authorization processes, the design of the J2EE agents allows them to also enforce J2EE security. The J2EE agents are generally comprised of two components (although this is partially subject to the interfaces exposed and supported by the deployment container): an agent filter for authentication and an agent realm for authorization.