> However, that leaves an access control problem. > When I access my portlet through the portal, > my user principal is available but when I by-pass > the portal and go to straight to a servlet, it is not. > Therefore, I cannot verify the user's credentials.
One trick you can use to work around that issue, since it'll be your portlet generating the links to the servlet downloader, is to have the portlet do the work of figuring out who the user is and whether they're allowed to see something and only then giving the user the link, and only then putting something in the session (with application scope) that the servlet can check to be sure that the check has already been processed... So if you hit the servlet without already having had access to the portlet, it'll do nothing or give you and authz error. And if you ask the servlet for something that the portlet didn't already allow you to see (via whatever token you put in the session to denote that), it could also give you an error... Hope that helps, ..Mike -----Original Message----- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Evans Sent: Thursday, September 15, 2005 8:53 AM To: [EMAIL PROTECTED] Subject: Re: File Download From a Portlet Santiago Gala <sgala <at> apache.org> writes: > > One possibility would be to forward to a separate servlet container, > where the download would take place, but it is a kludge, and I'm not > sure that all requirements of A&A, session, etc. can be met easily. > > Regards > Santiago > Right, I thought of simply using a link to a servlet. I will probably include it in the same .war as my portlets. However, that leaves an access control problem. When I access my portlet through the portal, my user principal is available but when I by-pass the portal and go to straight to a servlet, it is not. Therefore, I cannot verify the user's credentials. The one other possibilty is that I could try using container-level SSO to have the user principal to be shared accross web-apps. I'll post my results. I am actually using jetspeed2 and tomcat, but I thought that this user group would have more ideas on the download problem. Frankly, it is somewhat mind-blowing that they didn't think of file downloads when they came up with JSR-168 since file downloads were the foundation of the web.
