The Personalization
module adds an access control servlet to the standard ATG servlet pipeline. The access control servlet (/atg
) can allow or deny access to a page or group of pages based on criteria such as membership in a group or satisfaction of a targeting rule. CRS-IUA uses the access control servlet to restrict access to the My Account page to logged-in users.
Two AccessController
components are registered in the accessControllers
service map property in the /atg/rest/security/AccessControlServlet.properties
file. To secure other paths, use this property to assign them to AccessController
components.
accessControllers=\ /rest/bean/atg/userprofiling/Profile=/atg/rest/security/LoggedInAccessController,\ /rest/bean/atg/userprofiling/ProfileServices=/atg/userprofiling/AllAccessController
If the URL requested is mapped to an AccessController
component, the request’s Profile object is passed to the AccessController
, which determines whether or not access should be allowed. For example, the LoggedInAccessController
, which defines the rules for logged-in users, allows access to the profile REST request only if the user is logged in.
If access is denied, the servlet redirects the user to the following deniedAccessURL
:
deniedAccessURL=/rest/model/atg/userprofiling/SecurityStatusActor/authenticationRequired
The RestAccessControlServlet
is the REST pipeline servlet that references the access control servlet. It is added to the servlet pipeline in:
Store/Mobile/REST/config/atg/dynamo/servlet/dafpipeline/RestSecurityServlet.properties
For more general information about the access control servlet, see the Access Control section in the Personalization Programming Guide.