Since the release of IBM WebSphere Portal 7, there have been a number of Portal EL beans exposed for access in your theme. EL beans are Java objects that can be used with the JSTL Expression Language. One of these objects, the AccessControlRuntimeModelBean, provides convenient access to the current access control permissions on a resource.

In the default Portal 8.0 theme, for example, you can find the following code stanza, which is used to determine whether or not a Help link should be shown in the UI. The snippet is in /themes/html/dynamicSpots/commonActions.jsp and it looks like this:

<%-- Help icon - only displayed for users with admin or editor role --%>
<portal-logic:if loggedIn="yes" line="1">
    <c:set var="admin" value="<%=com.ibm.portal.ac.data.RoleType.ADMIN%>"/>
    <c:if test="${wp.ac[wp.selectionModel.selected].hasPermission[admin]}">
        <a class="wpthemeHelp" href="javascript:void(0);" onclick="javascript:window.open('/wps/iehs/topic/com.ibm.wp.admin.help/admin/h_wp_admin_welcome.html','wpthemeHelp','width=800,height=600')" aria-label="<portal-fmt:text key="help.title" bundle="nls.commonUI"/>" aria-haspopup="true" role="button">
            <img src="${themeConfig['resources.modules.ibm.contextRoot']}/themes/html/dynamicSpots/icons/blank.gif" alt="">
            <span class="wpthemeAltText"><portal-fmt:text key="help.title" bundle="nls.commonUI"/></span>
        </a>
    </li>
    </c:if>
</portal-logic:if>

First, a JSTL variable, admin, is being set with the value of a RoleType constant representing the Administrator role. The AccessControlRuntimeModelBean is exposed as an EL bean called wp.ac, which has a hasPermission method that takes the RoleType as parameter. That’s the part, written in expression language, that looks like this:

${wp.ac[wp.selectionModel.selected].hasPermission[admin]}

So, you can use the same general stanza to check whether or not the current user is in a given role on a given resource.

Your Copy/Paste Template…

Here’s a general template you can use to copy/paste from. When replacing and , remember to eliminate the less-than and greater-than symbols.

<portal-logic:if loggedIn="yes">
    <c:if test="${wp.ac[wp.selectionModel.selected].hasPermission[<role_type_var>]}">
        ... render something ...
    </li>
</portal-logic:if>

And here’s a useful variation, which checks against a named portal page, rather than the currently selected page.

<portal-logic:if loggedIn="yes">
    <c:if test="${wp.ac[wp.navigationModel['uniquename']].hasPermission[<role_type_var>]}">
        ... render something ...
    </li>
</portal-logic:if>

Role Types:

The com.ibm.portal.ac.data.RoleType object shown above exposes the following RoleType constants:

  • ADMIN
  • SECURITY_ADMIN
  • DELEGATOR
  • CAN_RUN_AS_USER
  • MANAGER
  • EDITOR
  • MARKUP_EDITOR
  • CONTRIBUTOR
  • PRIVILEGED_USER
  • USER

Related Content

You may also be interested in another useful Portal EL Bean, which I describe in my post,How to Display User Attributes in a WebSphere Portal Theme.

See: Portal EL Beans in the WebSphere Portal Family wiki for a list of all the EL beans.

Acknowledgements

Special thanks goes to Georgy Gobozov who provided information that improved the quality of this post. Georgy blogs about Android and WebSphere Portal development, among other things (in both Russian and English) on his weblog, Блоггг.

XMLAccess samples

WebSphere Portal LogoXMLAccess is a command-line utility for exporting and importing various portal configuration settings in an XML format. The utility takes an XML file as input and produces an XML file, which is the results of the input. It’s a very common way of moving configuration settings from one environment to another. On the portal file system, there are number of useful samples, which can be used as-is or a basis for creating your own scripts. Following is a list of the available XMLAccess samples. I wanted to list these on my blog because it’s often more convenient to check them here than on the actual server file system.

XMLAccess samples

Found in <PortalServer-root>/doc/xml-samples.
(list made from samples found in IBM WebSphere Portal version 8)

ActivatePortlet.xml
CleanSystemSlots.xml
CleanupUsers.xml
ClonePortlet.xml
CopyPage.xml
CreateAnalyticsTags.xml
CreateApplicationFolder.xml
CreateCsaPage.xml
CreateFilter.xml
CreateLanguage.xml
CreateLegacyPage.xml
CreatePage.xml
CreatePageFromTemplate.xml
CreatePageFromZip.xml
CreateTagsAndRatings.xml
CreateTemplateFolder.xml
CreateUrl.xml
CreateUser.xml
CreateWSRPProducer.xml
DeleteAnalyticsTags.xml
DeleteFilter.xml
DeletePage.xml
DeletePortlet.xml
DeleteTagsAndRatings.xml
DeleteUser.xml
DeployPortlet.xml
DeployTheme.xml
DeployThemeFromWebModule.xml
Export.xml
ExportAllPolicyNodes.xml
ExportAllPortlets.xml
ExportAllUsers.xml
ExportAnalyticsTags.xml
ExportIncludingOrphanedData.xml
ExportManagedPagesRelease.xml
ExportPage.xml
ExportPageResult.xml
ExportPortletAndPage.xml
ExportPortletAndStaticPage.xml
ExportRelease.xml
ExportStaticPage.xml
ExportSubTree.xml
ExportTagsAndRatings.xml
ExportTasks.xml
ExportThemesAndSkins.xml
ExportUserResource.xml
ExportWSRPCustomizedPortletInstances.xml
ExportWSRPProducer.xml
ExportWSRPProducersAndPortlets.xml
FederationDeletion.xml
FederationImport.xml
IntegrateRemotePortlet.xml
ModifyPortlet.xml
MovePage.xml
RegisterPreDeployedEAR.xml
Task.xml
Transaction.xml
UpdateAccesscontrol.xml
UpdateFilter.xml
UpdatePortlet.xml
UpdateVault.xml

Example: export all themes and skins

Following is an example of how one of these scripts might be executed on a UNIX system:

/usr/IBM/WebSphere/PortalServer/bin/xmlaccess.sh -user wpsadmin -password <password> -url http://<host>:<port>/wps/config -in /usr/IBM/WebSphere/PortalServer/doc/xml-samples/ExportThemesAndSkins.xml -out /home/<user-home>/ExportThemesAndSkins_result.xml

In the command above, you should modify the paths if they differ on your server and you must also replace <password>, <host>, <port>, and <user-home> with values appropriate to your own environment.

User Impersonation is a feature in WebSphere Portal that allows select administrative users to take on the profile of other users without having to know their login credentials. This allows the administrative user to evaluate the user experience from the impersonated user’s perspective. It can be quite handy for portals where security and personalization play a heavy role or where help-desk and support staff really need to see exactly what the end-user sees. I created this screencast that demonstrates how it works and even though it may be a little old, it’s still relevant…

The user impersonation feature in WebSphere Portal allows specified users or groups the ability to assume the profile of
others. In this way, administrators or help-desk staff can view a personalized and secured portal the way another end-user
sees it. Of course, depending on the types of content and services you provide, this could be a security risk. If you have
features that should not be accessed, even in impersonated sessions, you may need to wrap those features with some specialized
logic. In this post, I show you how.

Accessing the ImpersonationService in Your Java Code

First, you’ll need to access the ImpersonationService in your theme or portlet code. The example below uses a JNDI lookup,
which can be expensive, so be sure to put these kinds of things in an init method.

try {
  portletServiceHome = (com.ibm.portal.portlet.service.PortletServiceHome)ctx.lookup(com.ibm.portal.portlet.service.impersonation.ImpersonationService.JNDI_NAME);
  if(portletServiceHome != null) {
    impersonationHome = (com.ibm.portal.portlet.service.impersonation.ImpersonationService) portletServiceHome.getPortletService(com.ibm.portal.portlet.service.impersonation.ImpersonationService.class);
    if( impersonationHome != null ) {
      isImpersonationEnabled = true;
    }
  }
} catch ( javax.naming.NamingException ne ) {
  // impersonation is not present
} catch ( com.ibm.portal.portlet.service.PortletServiceUnavailableException psue ) {
  // impersonation is not present
}

 

That’s how the PageBuilder theme does it. Here’s another example from the SPIs JavaDoc on how to perform the JNDI lookup
to acquire the service object:

com.ibm.portal.portlet.service.PortletServiceHome psh;
javax.naming.Context ctx = new javax.naming.InitialContext();
 
try {
    psh = (PortletServiceHome) ctx.lookup(ImpersonationService.JNDI_NAME);
} catch(javax.naming.NameNotFoundException ex) {
    // error handling
}
 
// obtain the service object and use the service
ImpersonationService impersonationService = (ImpersonationService) psh.getPortletService(ImpersonationService.class);
try {
    impersonationService.doImpersonate(request, response, request.getParameter(FORM_TEXT));
} catch (Exception e) {
    // error handling
}

Using the ImpersonationService in Your Java Code

Once you have access to the service, you can use the following method to determine if the current user is an impersonated
user (returns a boolean):

impersonationHome.isUserImpersonated()

There are other useful methods on the ImpersonationService. Following are all the methods as of WebSphere Portal 7.0.0.

Interface com.ibm.portal.portlet.service.impersonation.ImpersonationService

void doImpersonate(ActionRequest actionRequest, ActionResponse actionResponse, java.lang.String impUserDN)
This method starts the impersonation.

void doImpersonate(ActionRequest actionRequest, ActionResponse actionResponse, User impUser)
This method starts the impersonation.

void doImpersonate(PortletRequest portletRequest, PortletResponse portletResponse, java.lang.String impUserDN)
Deprecated. since 7.0 use doImpersonate(ActionRequest, ActionResponse, String) instead

void doImpersonate(PortletRequest portletRequest, PortletResponse portletResponse, User impUser)
Deprecated. since 7.0 use doImpersonate(ActionRequest, ActionResponse, User) instead

User getOriginalUser()
This method returns the original user that has logged in.

boolean isUserImpersonated()
This method indicates whether the current user has been impersonated or he is acting on its own behalf.

void loginOriginalUser(HttpServletRequest aRequest, HttpServletResponse aResponse) Deprecated. since 7.0 use
com.ibm.portal.impersonation.ImpersonationService#loginOriginalUser(HttpServletRequest, HttpServletResponse) instead