2 Replies Latest reply on Oct 3, 2005 6:01 PM by psalvadori

Java Web Start & JBoss Portlet - URGENT

psalvadori Oct 3, 2005 11:56 AM

I Have installed JBoss Portal, I have created my own portal instance and I have populated it with a set of portlets built by me. So I have a big problem:
in one of these portlet i want to insert a link to a jsp that dynamically create a jnlp descriptor to download a web start application. To do this I inserted my jsp inside the portlet directory (.war) in a "jsp" directory. The link so point to

<%=renderRequest.getContextPath()%>/jsp/dynjnlp.jsp

that is traduced to

http://localhost:8080/<portlet-name>/jsp/dynjnlp.jsp

all works correctly but there is a problem;
the portlet that provide this link is protected with the security mechanism provided by jboss portal so if I want to download the application I must log in in the portal. But if I try to write the string

http://localhost:8080/<portlet-name>/jsp/dynjnlp.jsp

in the address bar of my browser, I can download the application too and it is not nice.

So I'd like to know if there is a method to protect resources inside a portlet or if there's another way to do this. Please help me.
Thanks in advance.
Paolo.

1. Re: Java Web Start & JBoss Portlet - URGENT

julien1 Oct 3, 2005 12:10 PM (in response to psalvadori)

Indeed, the portlet spec does not cover that.

And btw this is the same reason that AJAX has security holes in a portal.

One thing you can try is :

1/ put a token in the http session
2/ put a servlet filter in your war files that checks if the token is present or not in order to grant access to the resources
Actions
2. Re: Java Web Start & JBoss Portlet - URGENT

psalvadori Oct 3, 2005 6:01 PM (in response to psalvadori)

Thanks Julien for your quick reply, i'll tyr to do what you said and i'll tell you my results.
Thanks again, Paolo.
Actions

Go to original post