I convert a project from "form" submit based to dwr (ajax) submit. both work
fine together.
At the top security(login, portlet access) level i will use jboss.
Like in any project :-) some actions must be valid only to some users. Since
dwr is just servet, i must check user right here too.
>From the dwr servlet i succesfully have access to user and role module, but to
>know who is logged in, the only solution I found so far is by storing the user
>name into a session attribute.
in portlet with admin/secure op :
| // somewhere in the doView
| String ruser = request.getRemoteUser();
| if (ruser != null) {
| PortletSession sss = request.getPortletSession(true);
| if (sss != null) {
| sss.setAttribute("ruser", ruser,
PortletSession.APPLICATION_SCOPE);
| }
| }
|
from a dwr class function
| WebContext ctx = WebContextFactory.get();
| HttpServletRequest req = ctx.getHttpServletRequest();
| HttpSession sss = req.getSession(false);
| if (sss != null) {
| String ruser = (String)sss.getAttribute("ruser");
| if( ruser !=null ){
| // user auth
| // now check againt jboss through role module etc.....
| }
| }
|
So, yes it's working. when loggin out, jboss clean the session too.
But i have 2 questions :
1) is it really secure ?? can an exploit might hack into my dwr function ???
(there's always a risk, I meet hack easily ...)
2) Is there a better solution, to get who's loggin in, direclty by asking
jbossportal ???
what I really need, is to have acces to the roles list of the logged in user
making the request; that's all (I'm using ejb to external db and jackrabbit)
Thks
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133218#4133218
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4133218
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
