Custom Impersonation portlet websphere portal

Using Impersonation based on Groups

Problem statement:

            A given user should be able to impersonate users belonging to a particular group while he must not be able to do the same for another group. For this we have IBM portlet available but there are limitations like searching via firstname etc . We have a requirement Group A admins should be able to impersonate users belonging to normal users while they should not be able to do the same for privileged users.So we want to use custom portlet to add any custom implementations.

Scenario:

            Admins – Group of admins

            PrivilegedUsers – Group of privileged users

            NormalUsers – Group of normal users

            

Steps:

Step 1:To enable the impersonation feature, run the enable-impersonation task from the wp_profile_root/ConfigEngine directory.

ConfigEngine.bat enable-impersonation -DWasPassword=password -DPortalAdminPwd=password -DCategoriesList=wp.auth.base

Step 2:            Log on to WebSphere Portal as an administrator. 

Click Administration >Users and Groups > All Portal User Groups > New Group

Create three groups Admins, Privileged Users and Normal Users

Step 3: Log on to WebSphere Portal as an administrator.

Click Administration >Users and Groups > All Portal User Groups > New User

Create three users admin, puser, nuser

Step 4: Now we have created the required users and groups. Now we have to add the users to     groups.

Log on to WebSphere Portal as an administrator. 

Click Administration >Users and Groups > All Portal User Groups > Admins/Privileged Users/Normal Users > Add Member.

Add admin à Admins group, puser à Privileged Users and nuser à Normal Users group.

Step 5: Now we need to create a new page.

            Log on to WebSphere Portal as an administrator.  Click Administration à Manage Pages à Content Root à New Page

            Create a portlet and add it to the page you just created.

Step 6: For doing impersonation we need ImpersonationService object and for identifying the group of a particular user we need PUMA service object.

Declare the following variables inside the portlet.

privatestatic PortletServiceHome pshImpersonate = null;

privatestatic PortletServiceHome psh = null;

privatestatic PumaHome pumaHome = null;

privatestatic ArrayList<String>GROUP_ATTRS = null;

privatestatic ImpersonationService impersonationService = null;

Add the following code inside method to get the service objects.

try{

Context ctx = new InitialContext();

   //gets the impersonation service object

pshImpersonate = (PortletServiceHome) ctx.lookup(ImpersonationService.JNDI_NAME);

impersonationService = (ImpersonationService) pshImpersonate.getPortletService(ImpersonationService.class);

   //gets the puma service object

   psh = (PortletServiceHome) ctx.lookup(PumaHome.JNDI_NAME);

pumaHome = (PumaHome) psh.getPortletService(PumaHome.class);

                                   

GROUP_ATTRS = new ArrayList<String>(1);

GROUP_ATTRS.add("cn");

                       

} 

catch (NamingException e) {

   e.printStackTrace();

}

Step 7: Add the following code the processAction to determine the group of a given user and determine whether to allow impersonation or not.

try{

   String userId = request.getParameter("userId").trim();

           

   PumaLocator pumaLocator = pumaHome.getLocator(request);

   PumaProfile pumaProfile = pumaHome.getProfile(request);

   //gets the user using the user id                               

List<User> users = pumaLocator.findUsersByAttribute("uid", userId);

                                   

   User user = users.get(0);

                                   

if(user != null) {

           

List<Group> groups = pumaLocator.findGroupsByPrincipal(user, false);

                       

            for (Iterator<Group> iter = groups.iterator(); iter.hasNext();) {

Group group = (Group) iter.next();

Map<String, Object> attributeMap  = pumaProfile.getAttributes(group, GROUP_ATTRS);

String groupName = (String) attributeMap.get("cn");

               //allow impersonation if the user is a normal user

if("NormalUsers".equals(groupName)) {

impersonationService.doImpersonate(request, response, users.get(0));

}

elseif("PrivilegedUsers".equals(groupName)) {

            //do not allow impersonation if the user is a privileged user

request.getPortletSession().setAttribute("message", "Sorry, you do not have permissions to impersonate.");

}

}  

}

} catch (Exception e) {

e.printStackTrace();

}

Step 8 : Add the following markup to the view jsp of the portlet.

<%String message = (String) renderRequest.getPortletSession().getAttribute("message");

            %>

            <%if(message != null) {%>

                        <span><%=message%></span><br/>

            <%}

%>

<ahref='<portlet:actionURL>

                                    <portlet:paramname="userId"value="puser"/>

                        </portlet:actionURL>'>Privileged User</a>

<ahref='<portlet:actionURL>

                                    <portlet:paramname="userId"value="nuser"/>

                        </portlet:actionURL>'>Normal User</a>

<%renderRequest.getPortletSession().setAttribute("message", null);%>

Step 9:Finally to allow the users of group admin to have impersonation privileges do the following:

Complete the following steps to assign the Can Run As User role to the appropriate user:

1. Log on to WebSphere Portal as an administrator.
2. Click Administration.
3. Click Access > User and Group Permissions.
4. Click Users.
5. Search for the user(user under Admins Group) you want to assign as Can Run As User.
6. Click the Select Resource Type icon for the required user.
7. Navigate to the page that contains the Virtual Resources option, using the Page Next button and click that link.
8. Navigate to the page that contains the USERS option and click the Assign Access icon.
9. Select the Explicitly Assign check box for the Can Run As User role.
10. Click OK.
11. Verify that the required user now has User and Can Run As User access.