3 Replies Latest reply on Apr 17, 2007 8:00 AM by antoine_h

Access userPrincipal from Servlet

taprogge Apr 13, 2007 5:45 AM

Hi!

I am trying to implement a file download function inside a portlet, i.e. a link inside the portlet that will provide the user with a file.

I am using a Servlet to handle the download because I have to pull the file from the database first.

Is there any way to access the portal's userPrincipal from inside the Servlet so that I can make sure the user is authenticated before sending the response?

It seems that both request.getUserPrincipal() and request.getRemoteUser() return null in this setup.

Any thoughts?

Best regards,

Phil

1. Re: Access userPrincipal from Servlet

antoine_h Apr 13, 2007 11:32 AM (in response to taprogge)

by the way, you have an example of downloading a file in the CMSAdmin portlet. It is for downloading an export of the CMS.
may be things there.

The HttpSession, which is seen by the servlet, is not the same as the portletSession that is used by the portlet.

what you can do is set the principal from the portlet, into the HttpSession, before to show the link, and then get it in the servlet. (with an attribute of the session).
Search in the forum post for HttpSession and httpservletrequest. I have posted code to get those from the portlet.

This is not a nice way.

A clean way is to get the Principal from the security domain of the portal.

you can see an example of this done in the JbossIntegrationFilter filter that is provided with Acegi.
It does something similar. Just to adapt in your servlet.
See the code at :
http://acegisecurity.org/multiproject/acegi-security-jboss/xref/org/acegisecurity/adapters/jboss/JbossIntegrationFilter.html

or download the Acegi Security source to get the java file.

You may also use a security constraint in the web.xml to let the user access to the servlet only if he is authenticated.
look at the CMSAdmin portlet, to see how the servlet is setup, and add some security constraint (related to the corresponding prefix in the url...).
Actions
2. Re: Access userPrincipal from Servlet

taprogge Apr 17, 2007 7:14 AM (in response to taprogge)

Hello again and thanks for your answer.

Unfortunately, I am still stuck...

I do not want to hand over the login info through the session, that's just ugly.
So I tried your second solution.

If I understand it correctly, the JBossIntegrationFilter basically just looks up "java:comp/env/security/subject" to extract the login info from that.
I tried that, but somehow looking up the subject always returns null, regardless of the actual portal login.
Am I still doing something wrong here?

By the way, I am using Jboss 4.0.5.GA with Portal 2.4.

Thanks for your insights and best regards,

Phil
Actions
3. Re: Access userPrincipal from Servlet

antoine_h Apr 17, 2007 8:00 AM (in response to taprogge)

I look at the CMSExportServlet in the jboss portal sources. It does not enforce security... so it is a bad track. sorry.

where is your servlet ?
calling the jndi service for the subject works with the filter put in web.xml of the portal-server.war.
This web app is the context where the sercurity domain is defined.
so if not in this context, then that is why the subject is not found
sounds logical if there are none defined in your web app, no ?
I am not sure, but sound logical...

I am not good enough at tomcat, security realm, domains, etc...
but I guess you can manage to set your web app to share the same authentification "domain" as the one of the portal, ie the one of portal-server.war

or look at jboss security ref guide, and how to secure a web app.
they explain how to set it in a web app, and compare with the portal-server.war web app.

hope it helps...
Actions

Go to original post