1 Reply Latest reply on Sep 16, 2013 1:27 PM by Nitin Khare

    ATG Privileges for Pages

    saminda konkaduwa



      I am working with ATG User Authentications.

      So what i need to do is, restrict pages when UN-authorized person type URL and try to brows that page.

      I have created User Roles, Organizations and Users in BCC.

      I can access those users and roles using ATG Out Of The Box feature called /atg/userdirectory/droplet/HasFunction


      <dsp:droplet name="/atg/userdirectory/droplet/HasFunction">

           <dsp:param bean="Profile.id" name="userId"/>

           <dsp:param value="FullfilmentAdmin" name="function"/>

           <dsp:oparam name="true">

                                  <dsp:valueof value="he is admin"/>


                              <dsp:oparam name="false">

                                  <dsp:valueof value="he is not admin"/>





      However this approach doesn't give opportunities to make authentication based on pages. Above approach is based on user roles.

      So what i need to do is, restrict pages when UN-authorized person type URL and try to brows that page.


      Anyone does know how to make Page authentication rather than using above method ?



        • 1. Re: ATG Privileges for Pages
          Nitin Khare

          I assume you are trying to do user authentication if user is not authorized and if not you want user to be presented with a login screen for authorization. There can be different ways to do this ranging from simple to not-so-simple depending on exactly what and how you want to do it. Probably the simplest approach can be to make use of transient property of user-profile in a switch droplet and redirect to the login page using the Redirect droplet as required for an anonymous user. The example here will gives an idea of this approach:

          Oracle ATG Web Commerce - Other Commonly Used Servlet Beans


          In case you have customized the userProfile definition by adding your own security-status and customized the request pipeline to set the security-status based on your application logic then you can use it in place of Profile.transient.


          Another approach is to add your own AuthenticationServlet in the request handling pipeline based on the BasicAuthenticationPipelineServlet class similar to what has been used for dyn/admin. Refer this documentation

          Oracle ATG Web Commerce - Authentication


          There is one more way where you can add your own servlet-filter for your application which can extend atg.servlet.DispatchFilter class so that you can specify parameters like login or redirect page, pages to check etc. through <init-param> section of your filter entry in web.xml and access them in your filter class with their respective getter/setter. Apply the necessary checks and logic inside the overridden doFilterRequest() of your filetr-class and you are all set.