[jboss-user] [JBoss Portal] - cross auth between jportal and dwr/servlet better solution t

je.a.le do-not-reply at jboss.com
Fri Feb 29 08:36:04 EST 2008


I convert a project from "form" submit  based to dwr (ajax) submit. both work fine together. 
At the top security(login, portlet access) level i will use jboss. 
Like in any project :-) some actions must be valid only to some users. Since dwr is just servet, i must check user right here too.

>From the dwr servlet i succesfully have access to user and role module, but to know who is logged in, the only solution I found so far is by storing the user name into a session attribute.

in portlet with admin/secure op :

  | // somewhere in the doView
  | String ruser = request.getRemoteUser();
  | 	if (ruser != null) {
  | 	    PortletSession sss = request.getPortletSession(true);
  | 	    if (sss != null) {           
  | 		sss.setAttribute("ruser", ruser, PortletSession.APPLICATION_SCOPE);	
  | 	    }
  | 	}
  | 

from a dwr class function

  | WebContext ctx = WebContextFactory.get();
  | HttpServletRequest req = ctx.getHttpServletRequest();
  | HttpSession sss = req.getSession(false);
  | if (sss != null) {	       
  |      String ruser = (String)sss.getAttribute("ruser");
  |       if( ruser !=null ){
  |            // user auth
  |            // now check againt jboss through role module etc.....
  |       }
  | }
  | 

So, yes it's working. when loggin out, jboss clean the session too.
But i have 2 questions :
1) is it really secure ?? can an exploit might hack into my dwr function ??? (there's always a risk, I meet hack easily ...)
2) Is there a better solution, to get who's loggin in, direclty by asking jbossportal ???

what I really need, is to have acces to the roles list of the logged in user making the request; that's all (I'm using ejb to external db and jackrabbit)

Thks

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133218#4133218

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4133218



More information about the jboss-user mailing list