On 11/14/2014 11:24 PM, Bryn Jeffries wrote: > I asked: >>> I'd like to upload files through a custom File Upload servlet that runs >>> from the >>> same Tomcat server but is not part of XWiki. > [...] >>> Is it possible to make use of the supplied XWiki UI widgets to upload to >>> this >>> servlet? Any guidance on how to do this would be greatly appreciated. > > Marius said: >> See http://platform.xwiki.org/xwiki/bin/view/DevGuide/HTML5Upload for >> how to use the file upload widget inside XWiki. > > This has been helpful, thanks. Is it possible for me to get hold of any xwiki > session information within my external servlet? I'd like to know the XWiki > name of the user that's uploading the file. >
I guess it is possible to do that, but you would have to write a component that is: - a custom XWiki authenticator http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HCustomAuthentication to store the session id on login (and remove it at logout) - and maybe a Session listener: https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpSessionListener.html to handle session timeout - finally has an API to communicate that information to the external servlet, without leaking the session-ids to other "interested" parties Somehow that does not look like a good idea to me. > Presumably one way would be to include the user name in the form request, > though browsing through some of the code > (https://github.com/xwiki/xwiki-platform/blob/stable-6.2.x/xwiki-platform-core/xwiki-platform-web/src/main/webapp/resources/uicomponents/widgets/upload.js) > it looks at first glance that there's no way to add this unless I paste them > as GET variables in the action URL. > The alternative to fiddeling with form action is to use hidden form fields; these should be send to the target in the same way as the form action. To do this you are back in server-side template-land (instead of JavaScript), where you should be able to say something like <input type="hidden" name="userId" value="$escapetool.html($xcontext.user)" /> <input type="hidden" name="userName" value="$escapetool.html($xwiki.getUserName($xcontext.user))" /> (cobbled together with the help of http://platform.xwiki.org/xwiki/bin/view/SRD/Navigation?xpage=embed , untested ...) This data then should be send to the upload servlet. Admittedly this is not spoof-proof (anyone e.g. can use a brwoser-dev tool like firebug and edit the values before uploading the file). If you want "safe and secure" method, you might consider "container authentication" (i.e. users come from the servlet container) http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HContainerAuthentication then the upload servlet has the same user as XWiki (except for "XWiki-only users, for which the widget will just not work). Oh, and if the servlet really moves to a different server ... well, maybe it works to set up a distributed user authentication like CAS. just a few thoughts as I came along, use at own risk ;) > Alternatively if the file submission has corresponding session data (not sure > whether this is the case) would it be possible for my servlet to request the > user name from XWIki in some way? > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
