This information describes security considerations to keep in mind when you develop an application with this builder.
Most Content Model service calls require a LoginContext, an object which contains authentication information about a user. Given a java.security.Principal, the Content Model API LoginService returns a LoginContext for the user represented by this Principal.
The builder attempts to get the Principal from the HttpServletRequest so that it can use the Principal to obtain the LoginContext from the LoginService. If the Principal in the HttpServletRequest is null, the builder logs into the Content Model anonymously. Because most Content Model content (documents, document libraries, and folders) have access requirements, you typically want to log into the Content Model as the user who is running the web application. The way to do this depends on whether you are developing a local development application or a Portlet application.
local development application
If you are developing an local development application to be run in IBM® WebSphere® Application Server where the Content Model is installed, but not as a portlet to be published to WebSphere Portal, configure a J2EE security constraint for your application. When you run your model, you are prompted to authenticate and the principal is set on the HttpServletRequest. Portlet
If you do not do configure a J2EE security constraint, you may receive security exceptions from the Content Model and underlying JCR because you are anonymous and the anonymous user may not have access to the content you are trying to access.
If you are developing a portlet application to be run on WebSphere Portal server, add a Portlet Adapter to your model. Then, as with other portlet applications, log into WebSphere Portal and add your portlet to a page. Because users have to be logged into WebSphere Portal server to run your portlet, the principal is automatically set on the ServletRequest and the builder uses this principal to obtain the LoginContext.
You do not have to configure a J2EE security constraint in this scenario.
Parent topic: Portal Document Manager Access builder