User impersonation programming in WebSphere Portal

The user impersonation feature in WebSphere Portal allows specified users or groups the ability to assume the profile of
others. In this way, administrators or help-desk staff can view a personalized and secured portal the way another end-user
sees it. Of course, depending on the types of content and services you provide, this could be a security risk. If you have
features that should not be accessed, even in impersonated sessions, you may need to wrap those features with some specialized
logic. In this post, I show you how.

Accessing the ImpersonationService in Your Java Code

First, you’ll need to access the ImpersonationService in your theme or portlet code. The example below uses a JNDI lookup,
which can be expensive, so be sure to put these kinds of things in an init method.

try {
  portletServiceHome = (com.ibm.portal.portlet.service.PortletServiceHome)ctx.lookup(com.ibm.portal.portlet.service.impersonation.ImpersonationService.JNDI_NAME);
  if(portletServiceHome != null) {
    impersonationHome = (com.ibm.portal.portlet.service.impersonation.ImpersonationService) portletServiceHome.getPortletService(com.ibm.portal.portlet.service.impersonation.ImpersonationService.class);
    if( impersonationHome != null ) {
      isImpersonationEnabled = true;
    }
  }
} catch ( javax.naming.NamingException ne ) {
  // impersonation is not present
} catch ( com.ibm.portal.portlet.service.PortletServiceUnavailableException psue ) {
  // impersonation is not present
}

 

That’s how the PageBuilder theme does it. Here’s another example from the SPIs JavaDoc on how to perform the JNDI lookup
to acquire the service object:

com.ibm.portal.portlet.service.PortletServiceHome psh;
javax.naming.Context ctx = new javax.naming.InitialContext();
 
try {
    psh = (PortletServiceHome) ctx.lookup(ImpersonationService.JNDI_NAME);
} catch(javax.naming.NameNotFoundException ex) {
    // error handling
}
 
// obtain the service object and use the service
ImpersonationService impersonationService = (ImpersonationService) psh.getPortletService(ImpersonationService.class);
try {
    impersonationService.doImpersonate(request, response, request.getParameter(FORM_TEXT));
} catch (Exception e) {
    // error handling
}

Using the ImpersonationService in Your Java Code

Once you have access to the service, you can use the following method to determine if the current user is an impersonated
user (returns a boolean):

impersonationHome.isUserImpersonated()

There are other useful methods on the ImpersonationService. Following are all the methods as of WebSphere Portal 7.0.0.

Interface com.ibm.portal.portlet.service.impersonation.ImpersonationService

void doImpersonate(ActionRequest actionRequest, ActionResponse actionResponse, java.lang.String impUserDN)
This method starts the impersonation.

void doImpersonate(ActionRequest actionRequest, ActionResponse actionResponse, User impUser)
This method starts the impersonation.

void doImpersonate(PortletRequest portletRequest, PortletResponse portletResponse, java.lang.String impUserDN)
Deprecated. since 7.0 use doImpersonate(ActionRequest, ActionResponse, String) instead

void doImpersonate(PortletRequest portletRequest, PortletResponse portletResponse, User impUser)
Deprecated. since 7.0 use doImpersonate(ActionRequest, ActionResponse, User) instead

User getOriginalUser()
This method returns the original user that has logged in.

boolean isUserImpersonated()
This method indicates whether the current user has been impersonated or he is acting on its own behalf.

void loginOriginalUser(HttpServletRequest aRequest, HttpServletResponse aResponse) Deprecated. since 7.0 use
com.ibm.portal.impersonation.ImpersonationService#loginOriginalUser(HttpServletRequest, HttpServletResponse) instead