Class |
|
---|---|
Component |
|
AccessControlServlet
checks the requestURI
to see if it matches any of the restricted URLs identified in its accessController
map. The accessController
map is made up of URLs matched to an AccessController
instance that governs the rules that determine, when that URL is requested, whether the active Profile
is permitted to view the page. When access is denied by an AccessController
, AccessController
calls AccessControlServlet
, which redirects the user to the URL defined in the deniedAccessURL
property.
When access is permitted or denied by an AccessController
, AccessControlServlet
alerts the registered listeners held in the appropriate property: accessAllowedListeners
or accessDeniedListeners
. These properties are populated with the components that register themselves as listeners with AccessControlServlet
.
When a user does not have access, before redirecting the user to the deniedAccessURL
, the originalURL
is appended to the deniedAccessURL
as a QueryParameter
. This allows a user, after a successful login, to be redirected back to his or her original starting page.
For example, if the user’s original URL is http://localhost:8280/crs/myaccount/
and the
orderDetail.jsp?orderId=o20001deniedAccessURL
is defined as /crs/myaccount/
, the final
profile.jspdeniedAccessURL
created by the AccessControlServlet
is:
http://localhost:8280/crs/myaccount/login.jsp?originalURL=http://localhost:8280/crs/myaccount/orderDetail.jsp%3ForderId=o20001%3D_requestid=39
The default name of the originalURL
can be modified by updating the originalURLQueryParamName
property in the AccessControlServlet
component.
Note: Setting the loginSuccessURL
property of the login.jsp
with the URL you defined in the originalURL
parameter without proper validation can create security vulnerabilities. Ensure that you have proper validation within the login.jsp
file before redirecting users to the originalURL
. Refer to the Managing Access Control section for additional information.
You can disable AccessControlServlet
by setting its enabled
property to false
.
For more information on configuring AccessControlServlet
, see the ATG Platform API Reference and the Personalization Programming Guide.