I convert a project from "form" submit based to dwr (ajax) submit. both work fine together. At the top security(login, portlet access) level i will use jboss. Like in any project :-) some actions must be valid only to some users. Since dwr is just servet, i must check user right here too. in portlet with admin/secure op : | // somewhere in the doView | String ruser = request.getRemoteUser(); | if (ruser != null) { | PortletSession sss = request.getPortletSession(true); | if (sss != null) { | sss.setAttribute("ruser", ruser, PortletSession.APPLICATION_SCOPE); | } | } | from a dwr class function | WebContext ctx = WebContextFactory.get(); | HttpServletRequest req = ctx.getHttpServletRequest(); | HttpSession sss = req.getSession(false); | if (sss != null) { | String ruser = (String)sss.getAttribute("ruser"); | if( ruser !=null ){ | // user auth | // now check againt jboss through role module etc..... | } | } | So, yes it's working. when loggin out, jboss clean the session too. But i have 2 questions : 1) is it really secure ?? can an exploit might hack into my dwr function ??? (there's always a risk, I meet hack easily ...) 2) Is there a better solution, to get who's loggin in, direclty by asking jbossportal ??? what I really need, is to have acces to the roles list of the logged in user making the request; that's all (I'm using ejb to external db and jackrabbit) Thks View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133218#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...