The Personalization module adds an access control servlet to the standard ATG servlet pipeline. The access control servlet (/atg/userprofiling/AccessControlServlet) can allow or deny access to a page or group of pages based on criteria such as membership in a group or satisfaction of a targeting rule. CRS-IUA uses the access control servlet to restrict access to the My Account page to logged-in users.
Two AccessController components are registered in the accessControllers service map property in the /atg/rest/security/AccessControlServlet.properties file. To secure other paths, use this property to assign them to AccessController components.
accessControllers=\ /rest/bean/atg/userprofiling/Profile=/atg/rest/security/LoggedInAccessController,\ /rest/bean/atg/userprofiling/ProfileServices=/atg/userprofiling/AllAccessController
If the URL requested is mapped to an AccessController component, the request’s Profile object is passed to the AccessController, which determines whether or not access should be allowed. For example, the LoggedInAccessController, which defines the rules for logged-in users, allows access to the profile REST request only if the user is logged in.
If access is denied, the servlet redirects the user to the following deniedAccessURL:
deniedAccessURL=/rest/service/atg/rest/Error
The RestAccessControlServlet is the REST pipeline servlet that references the access control servlet. It is added to the servlet pipeline in:
Store/Mobile/REST/config/atg/dynamo/servlet/dafpipeline/RestSecurityServlet.properties
For more general information about the access control servlet, see the Access Control section in the ATG Personalization Programming Guide.
