Skip to main content link. Accesskey S
  • Log In
  • Help
  • IBM Logo
  • IBM Digital Experience wiki
  • All Wikis
  • All Forums
  • ANNOUNCEMENT: WIKI CHANGE TO READ-ONLY. LEARN MORE...
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • IBM Redbooks
  • API Documentation
Search
  • New Article
  • Share Show Menu▼
  • Subscribe Show Menu▼

About the Original Author

Click to view profileBrij Mohan Lal Srivastava
Contribution Summary:
  • Articles authored: 2
  • Articles edited: 2
  • Comments Posted: 0

Recent articles by this author

Creating your own customized Page Builder Theme for Websphere Portal v7.0 Server

This article demonstrates the step-by-step process of creating a theme using the Page Builder theme of Websphere Portal v7.0 Server.

User Impersonation in Websphere Portal Server

This article demonstrate how to use Impersonation in Websphere portal server 6.1.5 and above version.
Community articleUser Impersonation in Websphere Portal Server
Added by Brij Mohan Lal Srivastava | Edited by Brij Mohan Lal Srivastava on September 13, 2011 | Version 6
expanded Abstract
collapsed Abstract
This article demonstrate how to use Impersonation in Websphere portal server 6.1.5 and above version.
Tags: websphere-portal, WebSphere Portal 7.0, portal-security, 6.1.5

Impersonation allows a user, such as a support specialist, to access a user’s workstation to test out a new page, portlet, and so on, and see issues as they occur on the workstation.

Impersonation was a new security feature introduced in Websphere Portal Server 6.1.5. It can be enabled through few configurations mentioned below and can be used programmatically as I will be explaining later. But there is no out-of-box portlet for impersonation implementation in WPS 6.1.5.

Websphere Portal Server 7.0.0 came up with an out-of-box portlet which can be used to find any user and impersonate them instantly, provided the current user has Delegator role for impersonating any user.

There are no differences between WPS 6.1.5 and WPS 7 for enabling the user impersonation service, so this article will work for both.

Enabling the impersonation feature involves creating a resource environment provider to enable impersonation and creating a portlet that lets you impersonate specific users. Portal Access Control provides the ability to impersonate other users.

Note:Before you can impersonate another user, you first must enable the impersonation feature and assign the Delegator role to the appropriate user.

 

Objective:

Here, in this article it is demonstrated how a user or a group of users can be assigned the delegator role in order to mimic access rights of another user and thus, impersonate them.

With every new version of IBM Websphere Portal Server, several new features are introduced in order to assist Portal developers to provide rich and positive user experience and deliver proper content to each user. Features like Security, Personalization, user-editable content, etc. allows different user to view different content. In this case another developer’s or a support specialist’s life becomes difficult who is going to resolve issues on that portal. He or she does not know what content is visible to current user. He needs to find out various configurations, roles and personalization in order to start debugging the code or to resolve the issue.

The user impersonation feature in WebSphere Portal 6.1.5 onwards alleviates this challenge by permitting some users with the ability to assume the profile of others. When one user impersonates another, the user can experience the portal as if they were the impersonated user. An impersonator assumes a given user’s security access, user profile attributes, portal page and portlet customizations.

The delegator is able to see the portal exactly as it is visible to the user who is getting impersonated.

Implementation:

Scenario:

We have the following scenario implemented –

Users:

1.       Admin – Insurance company administrator who provides various services

2.       Customer – End user who subscribes for various insurance plans provided by Admin

Each customer can subscribe to multiple plansof an Admin and there will be several customers under a particular Admin.

When Customer logs in it sees home page with a portlet listing all the plans it has subscribed to.

When Admin logs in it sees home page with portlet listing all the Customerswho come under its services. On clicking on any Customer, Admin should be able to impersonate the corresponding Customer and thus should see the portlet listing all the services that the corresponding Customer has subscribed with all the security and personalization applied properly.

 

Step-by-Step Implementation:

Step 1:

WAS configurations to enable user impersonation:

1. Log on to the WebSphere Application Server Integrated Solutions Console or Network Deployment Administration Console.

2. Perform the following steps to enable the Impersonation feature:

a. Navigate to Resources

 
Resource Environment
 
Resource Environment Providers
 
WP Authentication Service
 
Custom Properties.

b. Click New.

c. Enter logout.explicit.filterchain in the Name field.

d. Enter com.ibm.wps.auth.impersonation.impl.ImpersonationLogoutFilter in the Value field.

e. Click Apply and then click Save to save the changes directly to the master configuration.

f. Navigate to Resources

 
Resource Environment
 
Resource Environment Providers
 
WP PortletServiceRegistryService
 
Custom Properties.

g. Click New.

h. Enter jndi.com.ibm.portal.portlet.service.impersonation.ImpersonationService in the Name field.

i. Enter com.ibm.wps.portletservice.impersonation.impl.ImpersonationServiceImpl in the Value field.

j. Click Apply and then click Save to save the changes directly to the master configuration.

3. Stop and restart the WebSphere_Portal server.

Step 2:

Portal configuration to assign delegator role to proper group or user who can impersonate other users :

a. Log on to WebSphere Portal as the Administrator.

b. Click Administration.

c. Click Access

 
User and Group Permissions.

d. Click Users or User Groups.

e. Search for the user or group you want to assign as Delegator.

f. Click the Select Resource Type icon for the required user.

g. Navigate to the page that contains the Virtual Resources option, using the Page Next button and click that link.

h. Navigate to the page that contains the USERS option and click the Assign Access icon.

i. Select the Explicitly Assign checkbox for the Delegator role.

j. Click OK.

k. Verify that the required user now has User and Delegator access.

The user(s) or groups with the Delegator role can now impersonate another user.

Step 3:

Following code is needed to initialize Impersonation and PUMA service in the portlet, and should be placed in the init method.

 

Listing 1:

public void init() throws PortletException {

                                super.init();

                                try {

                                                javax.naming.Contextctx = new javax.naming.InitialContext();

                                                pshimpersonate = (PortletServiceHome) ctx

                                                                                .lookup(ImpersonationService.JNDI_NAME);

 

                                                PortletServiceHomepshome;

                                                pshome = (PortletServiceHome) ctx.lookup(PumaHome.JNDI_NAME);

                                                pumaHome = (PumaHome) pshome.getPortletService(PumaHome.class);

 

                                } catch (javax.naming.NameNotFoundException ex) {

                                                ex.printStackTrace();

                                } catch (NamingException e) {

                                                e.printStackTrace();

                                }

                }

 

 

 

Step 4:

When the Admin logs in, all the Customers are fetched using PumaLocatorand are displayed on the home page. On click of any Customer following processAction code is executed:

 

Listing 2:

@ProcessAction(name = "impersonateAction")

                public void impersonateAction(ActionRequest request, ActionResponse response)

                                                throwsPortletException, java.io.IOException, PumaSystemException,

                                PumaAttributeException, PumaMissingAccessRightsException, ImpersonationException {

                               

                                System.out.println("Entering UserImpersonationPortlet.impersonateAction()");

                                Getting Form data

                                String user_cn = request.getParameter("user_cn");

                                System.out.println("User-cn : " + user_cn);

                                obtain the service object and use the service

                                ImpersonationServiceimpersonationService = (ImpersonationService) pshimpersonate.getPortletService(ImpersonationService.class);

                                PumaLocatorpumaLocator = pumaHome.getLocator(request);

                                List users = pumaLocator.findUsersByAttribute("cn", user_cn);

                                if (users.size() > 0) {

                                                try {

                                                                impersonationService.doImpersonate(request, response, users.get(0));

                                                }catch (Exception e) {

                                                                TODO Auto-generated catch block

                                                                throw new ImpersonationException();

                                                }

                                                }

                                System.out.println("Exiting UserImpersonationPortlet.impersonateAction()");

                }

 

Using the ‘cn’ attribute of PUMA we can get the ‘User’ object of the user to be impersonated. Hence passing that object in doImpersonate() method will enable us to see the portal as it is visible to the impersonated user.

The PUMA group ‘Admin’ has been assigned as the delegator. So using:

impersonationService.doImpersonate(request, response, users.get(0));

we can see portal as it looks to impersonated user.Thus all members of PUMA group ‘Admin’ can now impersonate any user.

 

Limitations:

·         Impersonation cannot be used with Client-Side Aggregation (CSA). So CSA should be disabled for all the pages where impersonation is to be used.

·         Incomplete configurations may lead to exposure of sensitive information and privacy implications. For e.g. Support person need not to see the bank account or personal information of users. Or we need to ensure that impersonated user can only read the data, not create, update or delete it.

·         When a user who is enabled for impersonation impersonates other users, the people awareness feature is disabled for the entire session for which that user is authenticated.

 

Conclusion:

·         Impersonation preventsseveral database operations to occur redundantly.

·         It assists support personals to view customer’s query without prompting for credentials.

·         Helps in providing rich user experience by utilizing all the features provided by Websphere Portal Server. For e.g. Complex Personalization and security features may change the view of portal as it is visible to another user.

·         Relevant content can be delivered to proper user and can be customized by support person very easily.

·         Way of implementing impersonation is same in WPS 6.1.5 and WPS 7.0.0, so there is lots of documentation. No compatibility issues are there.

 
 
expanded Attachments (0)
collapsed Attachments (0)
expanded Versions (23)
collapsed Versions (23)
Version Comparison     
VersionDateChanged by              Summary of changes
23Sep 14, 2011, 1:55:41 AMBrij Mohan Lal Srivastava  
22Sep 14, 2011, 1:44:52 AMBrij Mohan Lal Srivastava  
21Sep 14, 2011, 1:40:05 AMBrij Mohan Lal Srivastava  
20Sep 14, 2011, 1:36:25 AMBrij Mohan Lal Srivastava  
19Sep 14, 2011, 1:35:02 AMBrij Mohan Lal Srivastava  
18Sep 14, 2011, 1:32:21 AMBrij Mohan Lal Srivastava  Minor change
17Sep 14, 2011, 1:29:12 AMBrij Mohan Lal Srivastava  
16Sep 14, 2011, 1:25:07 AMBrij Mohan Lal Srivastava  
15Sep 14, 2011, 1:12:44 AMBrij Mohan Lal Srivastava  
14Sep 14, 2011, 1:08:46 AMBrij Mohan Lal Srivastava  
13Sep 14, 2011, 1:03:50 AMBrij Mohan Lal Srivastava  
12Sep 13, 2011, 3:20:47 PMBrij Mohan Lal Srivastava  
11Sep 13, 2011, 3:12:59 PMBrij Mohan Lal Srivastava  
10Sep 13, 2011, 3:11:22 PMBrij Mohan Lal Srivastava  
9Sep 13, 2011, 3:07:18 PMBrij Mohan Lal Srivastava  
8Sep 13, 2011, 2:59:39 PMBrij Mohan Lal Srivastava  
7Sep 13, 2011, 2:55:44 PMBrij Mohan Lal Srivastava  
This version (6)Sep 13, 2011, 2:49:04 PMBrij Mohan Lal Srivastava  
5Sep 13, 2011, 10:50:16 AMBrij Mohan Lal Srivastava  
4Sep 13, 2011, 10:47:03 AMBrij Mohan Lal Srivastava  
3Sep 13, 2011, 10:42:13 AMBrij Mohan Lal Srivastava  
2Sep 13, 2011, 10:33:58 AMBrij Mohan Lal Srivastava  
1Sep 13, 2011, 10:30:58 AMBrij Mohan Lal Srivastava  
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedHelpAbout
  • IBM Collaboration Solutions wikis
  • IBM developerWorks
  • IBM Software support
  • Twitter LinkIBMSocialBizUX on Twitter
  • FacebookIBMSocialBizUX on Facebook
  • ForumsLotus product forums
  • BlogsIBM Social Business UX blog
  • Community LinkThe Social Lounge
  • Wiki Help
  • Forgot user name/password
  • About the wiki
  • About IBM
  • Privacy
  • Accessibility
  • IBM Terms of use
  • Wiki terms of use