There are two factors that control access to a resource in Ensemble:
Authentication: Ensemble manages authentication with the proxied application based on the settings defined for the associated resource. For details on creating custom login pages, see Creating Custom Login Pages for Ensemble. For details on configuring authentication for a proxied application, see the AquaLogic Ensemble Administrator Guide Chapter 5, "Proxy Authentication" and Chapter 6, "Credential Mapping." For details on defining authentication settings for users, see Chapter 8, “Experience Definitions.”
Policies: Each Ensemble resource is protected by a policy set, which describes the conditions under which a user may be granted access to the resource, and the roles associated with those conditions. For details, see the next section.
When a resource is created, a default policy set is created for that resource. Each policy set maps to a single resource. The name of the policy set is the same as the name of the resource and cannot be changed.
A policy set is a collection of policies that control access to a resource. Each policy grants access to a resource based on two criteria:
Users and Groups: The user must be among the users or groups configured in the policy.
Rules: Rules describe a criteria that must be met. If the criteria is met, the rule evaluates to true. For example, a rule could restrict access to business hours or evaluate to true when the request comes from a specific browser or IP address. You can choose whether one or all of the rules must evaluate to true.
In addition to controlling access to a resource, policies associate a role with the user. Policies can only use the roles defined for the associated resource. To configure the roles for a resource, edit the resource using the Ensemble Console and add the roles on the Roles tab. These are the values that will be sent to the proxied application.
For more details on policies and how they are mapped to roles, see the AquaLogic Ensemble Administrator Guide Chapter 7, “Policies and Rules.”
Each incoming request to Ensemble is evaluated against the policies for the requested resource, and if the user is found to be in one or more roles, access is granted and the set of matching roles is passed on to the proxied application, allowing the application to determine the correct access level for the user. This is called Role-Based Access Control (RBAC).
Roles are sent in the HTTP header and can be accessed using the Proxy IDK and Ensemble adaptive tags, as described below.
The Ensemble Adaptive Tag Library provides access to the roles returned by Ensemble. Adaptive Tags can be included in the markup returned by any proxied page, including pagelets. Using the attributes defined in the tag, Ensemble transforms the XML and replaces it with standard HTML to be displayed in a browser.
The pt:ensemble.rolelist tag creates a collection of the user's roles in the current context and stores it in memory using the name in the pt:key attribute. Each item in the collection is a variable containing the role name. The example below displays a list of the user's roles by iterating over the collection using the pt:logic.foreach tag.
<pt:ensemble.rolelist pt:key="roles"/>
<pt:logic.foreach pt:data="roles" pt:var="role">
<pt:logic.value pt:value="$role"/>
<pt:logic.separator><br></pt:logic.separator>
</pt:logic.foreach><BR>
The pt:ensemble.roleexpr tag evaluates an expression and stores the result as a boolean in memory using the name in the pt:key attribute. The example below checks if the user has the Admin role and displays a message based on the result using the pt:logic.if tag.
<pt:ensemble.roleexpr pt:expr="hasRole Admin" pt:key="hasrole"/>
<pt:logic.if pt:expr="$hasrole">
<pt:logic.iftrue>
This user has the Admin role.
</pt:logic.iftrue>
<pt:logic.iffalse>
Warning: This user DOES NOT have the Admin role.
</pt:logic.iffalse>
</pt:logic.if>
For details on pt:ensemble tags, see Ensemble Tags.
The AquaLogic Interaction Development Kit (IDK) bea.alui.proxy.IProxyUser interface also allows you to get a list of the user's roles in the current context, or determine whether the user has a specific role.
The IProxyUser.getRoles method returns an iterator of the user's roles as strings.
The IProxyUser.isUserInRole method determines whether the user is in the role passed in the role parameter and returns true if the user has the role (false otherwise).
The IProxyUser.isAnonymous method determines whether the user is an Anonymous user.
The simplified example below (roleconsumer.jsp) retrieves role information for the current user. The associated Ensemble resource has three roles defined: AdminRole, MgrRole, and UserRole. (The associated policy set assigns these roles to groups or users.) In this example, the associated Ensemble pagelet is named "rolePagelet".
<%@ page language="java" import="com.plumtree.remote.portlet.*, java.util.Date, java.util.*, com.bea.alui.proxy.*" %>
You refreshed at <%= new Date().toString()%><br/>
<%
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
IProxyContext ctx = ProxyContextFactory.getInstance().createProxyContext(request,response);
IProxyRequest req = ctx.getProxyRequest();
IProxyResponse res = ctx.getProxyResponse();Enumeration roles = req.getUser().getRoles();
boolean isAdmin = req.getUser().isUserInRole("AdminRole");
boolean isMgr = req.getUser().isUserInRole("MgrRole");
boolean isUser = req.getUser().isUserInRole("UserRole");
%><html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<title>Preferences</title>
</head><body>
<br/>
CONSUMER SETTINGS
<br/>
<% while (roles.hasMoreElements()) {
String role = (String)roles.nextElement(); %>
<br/>User has role: <%=role%><br/>
<% } %>
<br/>User is admin? <%=isAdmin%><br/>
<br/>User is manager? <%=isMgr%><br/>
<br/>User is standard user? <%=isUser%><br/><pt:ensemble.inject xmlns:pt='http://www.plumtree.com/xmlschemas/ptui/' pt:name="idkLib:rolePagelet"/>
</body>
</html>
For more details on these methods, see the IDK API documentation. For details on using the pt:ensemble.inject tag, see IDK Quickstart: Hello World Pagelet (Java | .NET) and Ensemble Adaptive Tags.