Each incoming request to Ensemble is evaluated against the policies for the requested resource. If the user is found to be in one or more roles, access is granted and the set of matching roles is passed on to the proxied application, allowing the application to determine the correct access level for the user. This is called Role-Based Access Control (RBAC).

Roles are sent in an HTTP header and can be accessed using the Proxy IDK and adaptive tags.

Adaptive tags can be included in the markup returned by any proxied page, including pagelets. Using the attributes defined in the tag, Ensemble transforms the XML and replaces it with standard HTML to be displayed in a browser. For details, see Ensemble Adaptive Tag Library (pt:ensemble).

• The pt:ensemble.rolelist tag creates a collection of the user's roles in the current context and stores it in memory using the name in the pt:key attribute. Each item in the collection is a variable containing the role name. The example below displays a list of the user's roles by iterating over the collection using the pt:logic.foreach tag.

  <pt:ensemble.rolelist pt:key='roles'/>
  <pt:logic.foreach pt:data='roles' pt:var='role'>
  <pt:logic.value pt:value='$role'/>
   <pt:logic.separator><br></pt:logic.separator>
  </pt:logic.foreach><BR>

• The pt:ensemble.roleexpr tag evaluates an expression and stores the result as a boolean in memory using the name in the pt:key attribute. The example below checks if the user has the Admin role and displays a message based on the result using the pt:logic.if tag.

  <pt:ensemble.roleexpr pt:expr='hasRole Admin' pt:key='hasrole'/>
  <pt:logic.if pt:expr='$hasrole'>
     <pt:logic.iftrue>
        This user has the Admin role.
     </pt:logic.iftrue>
     <pt:logic.iffalse>
        Warning: This user DOES NOT have the Admin role.
     </pt:logic.iffalse>
  </pt:logic.if>

The IDK bea.alui.proxy.IProxyUser interface also allows you to get a list of the user's roles in the current context, or determine whether the user has a specific role.

• The IProxyUser.getRoles method returns an iterator of the user's roles as strings.
• The IProxyUser.isUserInRole method determines whether the user is in the role passed in the role parameter and returns true if the user has the role (false otherwise).
• The IProxyUser.isAnonymous method determines whether the user is an Anonymous user.
• The IProxyUser.isUserInRole method determines whether the user is in the role passed in the role parameter and returns true if the user has the role (false otherwise).

 <%@ page language='java' import='com.plumtree.remote.portlet.*, java.util.Date, java.util.*, com.bea.alui.proxy.*' %>

You refreshed at <%= new Date().toString()%><br/>
<%
response.setHeader('Cache-Control','no-cache');  //HTTP 1.1
response.setHeader('Pragma','no-cache');  //HTTP 1.0 
response.setDateHeader ('Expires', 0);  //prevents caching at the proxy server

IProxyContext ctx = ProxyContextFactory.getInstance().createProxyContext(request,response); 
IProxyRequest req = ctx.getProxyRequest(); 
IProxyResponse res = ctx.getProxyResponse();

Enumeration roles = req.getUser().getRoles(); 
boolean isAdmin = req.getUser().isUserInRole('AdminRole');
boolean isMgr = req.getUser().isUserInRole('MgrRole');
boolean isUser = req.getUser().isUserInRole('UserRole')
%>

<html> 
<head> 
<meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'> 
<META HTTP-EQUIV='PRAGMA' CONTENT='NO-CACHE'> 
<title>Preferences</title> 
</head>

<body>
<br/> CONSUMER SETTINGS <br/> 
<% while (roles.hasMoreElements()) {
   String role = (String)roles.nextElement();  %> 
   <br/>User has role: <%=role%><br/> 
<% } %> 
<br/>User is admin? <%=isAdmin%><br/> 
<br/>User is manager? <%=isMgr%><br/> 
<br/>User is standard user? <%=isUser%><br/>

<pt:ensemble.inject xmlns:pt='http://www.plumtree.com/xmlschemas/ptui/' pt:name='idkLib:rolePagelet'/>

</body>
</html>