isRequestAuthorized

The isRequestAuthorized method gets called for every request to MicroStrategy Web. This method is used to determine if an authenticated user is authorized to perform the requested action. In a custom implementation of the ESM, this method can be customized to add authorization criteria to be applied on top of the authorization criteria checks normally performed by MicroStrategy Web.

Common scenarios in which this method is used in a custom implementation of the ESM are:

• Adding custom validations for a user.  

• Keeping track of individual requests to perform usage analysis or other type of statistics.

The following information is provided to help you use this method when you create a custom ESM.

• Method signature 

• Parameters 

• Return values 

• Pre-conditions 

• Post-operations

Method signature

public boolean isRequestAuthorized(RequestKeys reqKeys, ContainerServices cntSvcs, WebIServerSession user)

Parameters

The following parameters are passed into the isRequestAuthorized method: 

• reqKeys

  This parameter allows the External Security Module to inspect information present in the original request. This information represents a collection of cookie, URL, and FORM data key/value pairs, together with information from session variables. 

• cntSvcs

  This parameter provides a way for the External Security Module to directly interact with the container to do such things as inspecting session variables and other data values not exposed through the RequestKeys object or accessing values such as headers that are not available through the RequestKeys instance. 

• user

  This parameter provides the WebIServerSession associated with the user making the request.

Return Values

TheisRequestAuthorizedmethod returns a boolean value indicating whether the user making the request is authorized to perform the requested action.

• true (default)

  The user making the request meets the authorization criteria, indicating that processing should continue.  

• false

  The user making the request does not meet the authorization criteria, indicating that the incoming request should be terminated.

Pre-conditions

This method is called with every request.

Post-operations

The following operations take place after the method call has finished, based on the return value:

• If this method returns "true", the application proceeds with normal processing of the request. 

• If this method returns "false", the application terminates the incoming request and calls the getFailureURL method.