Enable User Impersonation in WebSphere Portal – an Illustrated Guide

Posted on April 28, 2011 by Cody Burleson

ImpersonationIn this post, I provide an illustrated guide to enabling user impersonation in WebSphere Portal. It’s technical, but simple. I am simply using the WebSphere Portal documentation for enabling user impersonation and adding some screenshots and commentary based on my own lessons-learned. For a quick overview of the user impersonation, please refer to my previous post, which introduces the subject. You can also refer to my next post for a quick video demonstration of this feature.

Important Points to Note

First, a few key points you need to know:

1. User Impersonation allows one user to take on the attributes of another user so they can view the portal as if they were that user. When one user impersonates another, they effectively become that user for the life of the impersonations session. This, obviously, may have security and privacy implications, which you should consider.
2. You can choose who gets to impersonate and who does not.
3. You can enable the User Impersonation Service as of WebSphere Portal 6.1.5.
4. In WPS 6.1.5, there is no out-of-the-box portlet allowing you to pick a user and engage an impersonated session. You have to write your own portlet for now, based on some sample code. In WPS 7, you get a nice portlet out-of-the-box.
5. There are no differences between WPS 6.1.5 and WPS 7 for enabling the user impersonation service, so IBM’s documentation and my guide work for both.
6. Client side aggregation does not support user impersonation. For this reason, ensure you do not activate client side aggregation on any portal pages where the impersonation portlet is deployed. No problem; you can just use the default portal theme for the page with the impersonation portlet. You’re admins can hack it, right?
7. When a user who is enabled for impersonation impersonates other users, the people awareness feature is disabled for the entire session for which that user is authenticated.

Enable the User Impersonation Service

First, log on to the WebSphere Application Server (WAS in a single node environment) or Network Deployment Administration Console (a.k.a. ‘The Deployment Manager’ in a clustered environment). What we’re going to do is add two custom properties to two items in WAS, then bounce the portal server.

Navigate to Resources -> Resource Environment -> Resource Environment Providers as shown below:

When you click on Resource Environment Providers, you’ll get a list of all kinds of resources in the main page. Find the one called “WP AuthenticationService” and click it (as shown below):

In the detail view for WP AuthenticationService, click Custom properties:

We’re adding a new custom property, so click the New button:

Enter logout.explicit.filterchain in the Name field.
Enter com.ibm.wps.auth.impersonation.impl.ImpersonationLogoutFilter in the Value field.
Click Apply and then click Save to save the changes directly to the master configuration.
Just to make you feel comfortable, here’s what it looks like:

When you’re done, the custom property you added should look like this:

Certainly, I don’t have to tell you that if you don’t get the name and value for the property right, you can blow this thing. I also don’t need to give you redundant screenshots for the same process either. So, in the next steps, you’ll be doing the same thing – just for a different resource environment provider.

  • Navigate to Resources -> Resource Environment -> Resource Environment Providers -> WP PortletServiceRegistryService -> Custom Properties.
  • Click New.
  • Enter jndi.com.ibm.portal.portlet.service.impersonation.ImpersonationService in the Name field.
  • Enter com.ibm.wps.portletservice.impersonation.impl.ImpersonationServiceImpl in the Value field.
  • Click Apply and then click Save to save the changes directly to the master configuration.

The custom property you added should look like this (click to view large):

Now, stop and restart the WebSphere_Portal server and the Impersonation service should be enabled.

Conclusion

In this post, I showed you how to enable the User Impersonation Service in WebSphere Portal (the process is the same for WPS 6.1.5. and WPS 7). I simply rehashed the product documentation, but tried to add some value with images and commentary. To actually see user impersonation in action, we still need to define which users can impersonate others. We also need an impersonation portlet that will allow those users to leverage the service to impersonate other users. We’ll cover that in the next post, so stay tuned.

This entry was posted in IBM WebSphere Portal and tagged . Bookmark the permalink.
  • http://twitter.com/cabodj Dave Jones

    Have you tried impersonation behind a reverse proxy such as TAM, Siteminder, OpenAM, etc? I haven’t seen documentation that says either way if that will work.

    • Cody Burleson

      No, I have not tried it and you raise an excellent point! This is the problem with lab exercises; they rarely reflect the reality of the real world. I am now forced to admit that this series of posts is not yet acceptable. I will be on a mission to get to the bottom of your question. No promises on how long it will take. Thanks for your valuable commentary.

      • http://profiles.google.com/cabodj74 Dave Jones

        These posts are perfectly acceptable. There’s nothing wrong with them not covering every scenario. That’s what comments are for, and it gives you nice material for a followup post!

        I’m hoping to have the opportunity to try Portal impersonation behind TAM (v5.1 unfortunately) in my customer’s dev environment. I’ll post if I come up with anything.

    • Ebenezer Samuel

      I tried the impersonation behind TAM and it is working fine. 

      Our Portal is behind WebSEAL and the Portal Logout link is configured to use the WebSEAL’s logout, which is, pkmslogout.  Now after enabling impersonation and impersonating as another user, when I click on the logout link, Portal intelligently logs out the impersonated user and does not do a WebSEAL logout.  And now, the second time if you click the logout link in the Portal, the Portal knows that you are the ‘REAL’ user and logs you out of WebSEAL. 

      • http://www.codyburleson.com/ Cody Burleson

        That’s good news, Ebenezer. Thank you so much for taking the time to contribute your experience to this discussion.

  • http://www.codyburleson.com/ Cody Burleson

    Post Note: In a recent email from a Level 2 Support and Staff Software Engineer for WebSphere Portal, I received the following suggestion:

    Please add a comment about “impersonation in a multi-node cluster likely will require an IBM APAR – PM34927″: https://www-304.ibm.com/support/docview.wss?uid=swg1PM34927

  • Amitabh_khera

    Hi,
    I am getting the following error on impersonation portlet.
    Error 500: java.lang.NoClassDefFoundError: com.ibm.wps.portletservice.impersonation.impl.OriginalUserCredential Please suggest what to do.

  • Amitabh_khera

    Hi,
    I am getting the following error on impersonation portlet.
    Error 500: java.lang.NoClassDefFoundError: com.ibm.wps.portletservice.impersonation.impl.OriginalUserCredential Please suggest what to do. This might be happening because we have upgarded our Portal from 6.1 to 6.1.5 by applying fix pack.So might be some jar files are not updated.

  • Vitor Pereira

    Would this work for IBM Connections?

    • http://www.codyburleson.com/ Cody Burleson

      As far as I understand, User Impersonation is not a feature that is inherent to IBM Connections alone. However, I found a document which seems to suggest that User Impersonation can be extended from Portal to other servers in certain SSO configuratons (IBM Connections was noted as one, for example). See: Managing Enterprise Portals with User Impersonation. In particular, review the section titled ‘Managing the scope of user impersonation in single sign-on environments’.

      • Vitor Pereira

        Thanks! Has far as I understand it is not even a Portal feature, it’s a WAS feature, right? Connections runs on WAS like Portal does so I assume it is also available.

        • http://www.codyburleson.com/ Cody Burleson

          I have seen no documentation outside of the WebSphere Portal documentation. It may very well be primarily a sub-system running on WAS; a lot of WPS parts are (especially security related stuff). But since it cannot be found in the straight WAS documentation, I would not assume it to be supported (even if you could get it to work). Of course, in Portal 7, you also get some features in the theme and a portlet that facilitate the impersonation process and those elements would likely be unavailable to Connections or WAS straight-up.