Websphere 7 Portal: Servlet checking for login status to Portal?

Question

I run a WebSphere 7.0 Portal. One has to log in to be able to see any information which is fine for all portlets. But additionally there are a couple of servlets that a deploy in the same war file that produce some raw data for AJAX-scripts.

Currently one can bypass the authentication from WebSphere Portal if one knows the URL to that particular servlet. I want to change this and check if the user is currently logged in to the Portal. How do I do this? I tried ((PumaHome) new InitialContext().lookup(new CompositeName(PumaHome.JNDI_NAME))).getProfile().getCurrentUser(); but this returns null.

Answer 1

WebSphere Application Server returns principal and remote user only if you configure it to use the JavaEE security context for your web application. Edit your web.xml to contain something like

<security-constraint>
 <display-name>userConstraint</display-name>
 <web-resource-collection>
  <web-resource-name>secure</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
  <description>user</description>
  <role-name>user</role-name>
 </auth-constraint>
</security-constraint>
<security-role>
 <description>secrole</description>
 <role-name>user</role-name>
</security-role>

and redeploy your application. After deploying your application take a look at the application's settings in the Administrative Console. You will notice "User/role mapping". Add "all authenticated users from trusted realms" to the newly added role. Restart the application.

After that anonymous users can not access your application anymore. Also, the getRemoteUser and other APIs will return the user properly.