Aaron,
The easiest way to do access control is to have the portlet put some
bit of private information in the application scope of the session. The
servlet can then access the session, check for the info, and proceed if
it is found.
-Eric
Aaron Evans wrote:
Santiago Gala <sgala <at> apache.org> writes:
One possibility would be to forward to a separate servlet container,
where the download would take place, but it is a kludge, and I'm not
sure that all requirements of A&A, session, etc. can be met easily.
Regards
Santiago
Right, I thought of simply using a link to a servlet. I will probably include
it in the same .war as my portlets.
However, that leaves an access control problem. When I access my portlet through
the portal, my user principal is available but when I by-pass the portal and go
to straight to a servlet, it is not. Therefore, I cannot verify the user's
credentials.
The one other possibilty is that I could try using container-level SSO to have
the user principal to be shared accross web-apps.
I'll post my results. I am actually using jetspeed2 and tomcat, but I thought
that this user group would have more ideas on the download problem.
Frankly, it is somewhat mind-blowing that they didn't think of file downloads
when they came up with JSR-168 since file downloads were the foundation of the
web.
