How J2EE Agent contacts OpenAm?

Question

I have installed OpenAM in domain 1, and my application is in domain 2 protected with J2EE agent,My question is, Once I get access to my application after authentication do the agent contacts over the network to openam(for authorization), for every click I make on my application,If the answer is yes than what will be the performance impact if my agent and openam is in two domains which are geographically separated, If the answer is no,how does an agent invalidates an access to my application,when admin invalidates a user session from openAm home page.

Answer 1

By default OpenAM and J2EE Policy Agent communicates in Notification mode so OpenAM would notify (check notificationUrl field in config properties) an agent for any Logout events. Now, as mentioned by @warren-strange a J2EE Policy Agent periodically sends request to OpenAM server and that way it would be able to know if Token exists and is valid.

Answer 2

The agent needs to communicate with OpenAM for authorization decisions, but it will cache the resulting decision so subsequent evaluations will be local.

OpenAM can call back the agent in the container (that is what agentapp.war is for). This can be used to notify the agent that the users session is no longer valid. For example, if they logged out of OpenAM, or their session expired.

The performance impact will be very small. OpenAM is supporting installations with tens of millions of users - so unless your site is very large this will not be an issue.

You generally want to localize the agent to OpenAM traffic to the same data center when possible. If you had multiple regions you would want to have OpenAM instances in those regions. They can be configured to fail over to each other if required.