Checking the Permission in the Application

Use

In this step, you will use the checkPermission() method to make sure the user has the appropriate authorizations for the different activities.

Prerequisites

The J2EE Development perspective is displayed in the SAP NetWeaver Developer Studio.

The quick car rental application’s Web client project, J2EE_QuickCarRentalWeb, is displayed in the J2EE Explorer.

You have created the QuickReservationPermission Java class.

Procedure

...

       1.      Expand J2EE_QuickCarRentalWeb ® source ® com ® sap ®engine ® examples ®servlet ® quickcarrental.

       2.      Open or return to the QuickReservationServlet.java file by selecting it with a double-click.

       3.      Add the import statements for the permission and exception classes.

import com.sap.engine.examples.permissions.QuickReservationPermission;
import java.security.AccessControlException;

       4.      Insert the permission check in the code.

The permission check will take place in the viewAllBookings() method. Add the incoming parameter user for this method and include the checkPermission() method in the try block. Check for the permission named "access"). Catch the AccessControlException if the user does not have this permission. See the sample code below.

   private void viewAllBookings(

      HttpServletRequest request,

      QuickOrderProcessorLocal order,

      IUser user)

      {

 

      HttpSession session = request.getSession(true);

      QuickBookingModel[] bookings;

     

      try {

         user.checkPermission(new QuickReservationPermission("access"));

     

         try {

            bookings = order.viewActiveBookings();

            session.setAttribute(

            Constants.RESERVATIONS,

            formatBookings(bookings));

         } catch (QuickCarRentalException e) {

            session.setAttribute(Constants.CLIENT_MESSAGE,e.getMessage());

         }

      } catch (AccessControlException e) {

         session.setAttribute(Constants.CLIENT_MESSAGE,e.getMessage());

      }

 

   }

       5.      To check the permissions, the application must know the user’s ID. Therefore, adjust the code sections in the doGet() and doPost() methods to pass the parameter user to the doWork() and viewAllBookings() methods as follows:

doGet()

   protected void doGet(

      HttpServletRequest request,

      HttpServletResponse response)

      throws ServletException, IOException {

        

      IUser user = UMFactory.getAuthenticator().getLoggedInUser(request, response);

      if (null == user) {

         UMFactory.getAuthenticator().forceLoggedInUser(request, response);

         return;

      }

      doWork(request, response, user);

   }

doPost()

protected void doPost(

      HttpServletRequest request,

      HttpServletResponse response)

      throws ServletException, IOException {

 

         IUser user = UMFactory.getAuthenticator().getLoggedInUser(request, response);

         if (null == user) {

            UMFactory.getAuthenticator().forceLoggedInUser(request, response);

            return;

         }

         doWork(request, response, user);

   }

doWork()

   public void doWork(

      HttpServletRequest request,

      HttpServletResponse response,

      IUser user)

      throws ServletException {

 

      QuickOrderProcessorLocal order = initializeController();

      handleRequest(request, response, order);

      viewAllBookings(request, order, user);

      HttpSession session = request.getSession(true);

      RequestDispatcher dispatcher =

         request.getRequestDispatcher("/view");

      try {

         dispatcher.forward(request, response);

      } catch (IOException e) {

         e.printStackTrace();

         throw new ServletException(e.getMessage());

      }

}

       6.      Save the file.

Result

The application checks to see if the current user has the authorizations to view the car rental reservations.

Next Step:

Protecting Access to the EJB Methods Using UME Permissions