AccessControlServlet checks the requestURI to see if it matches any of the restricted URLs identified in its accessController map. The accessController map is made up of URLs matched to an AccessController instance that governs the rules that determine, when that URL is requested, whether the active Profile is permitted to view the page. When access is denied by an AccessController, AccessController calls AccessControlServlet, which redirects the user to the URL defined in the deniedAccessURL property.

When access is permitted or denied by an AccessController, AccessControlServlet alerts the registered listeners held in the appropriate property: accessAllowedListeners or accessDeniedListeners. These properties are populated with the components that register themselves as listeners with AccessControlServlet.

When a user does not have access, before redirecting the user to the deniedAccessURL, the originalURL is appended to the deniedAccessURL as a QueryParameter. This allows a user, after a successful login, to be redirected back to his or her original starting page.

For example, if the user’s original URL is http://localhost:8280/crs/myaccount/
orderDetail.jsp?orderId=o20001 and the deniedAccessURL is defined as /crs/myaccount/
profile.jsp, the final deniedAccessURL created by the AccessControlServlet is:

http://localhost:8280/crs/myaccount/login.jsp?originalURL=http://localhost:8280/crs/myaccount/orderDetail.jsp%3ForderId=o20001%3D_requestid=39

The default name of the originalURL can be modified by updating the originalURLQueryParamName property in the AccessControlServlet component.

Note: Setting the loginSuccessURL property of the login.jsp with the URL you defined in the originalURL parameter without proper validation can create security vulnerabilities. Ensure that you have proper validation within the login.jsp file before redirecting users to the originalURL. Refer to the Managing Access Control section for additional information.

You can disable AccessControlServlet by setting its enabled property to false.

For more information on configuring AccessControlServlet, see the ATG Platform API Reference and the Personalization Programming Guide.