by the way, you have an example of downloading a file in the CMSAdmin portlet. It is for downloading an export of the CMS.
may be things there.
The HttpSession, which is seen by the servlet, is not the same as the portletSession that is used by the portlet.
what you can do is set the principal from the portlet, into the HttpSession, before to show the link, and then get it in the servlet. (with an attribute of the session).
Search in the forum post for HttpSession and httpservletrequest. I have posted code to get those from the portlet.
This is not a nice way.
A clean way is to get the Principal from the security domain of the portal.
you can see an example of this done in the JbossIntegrationFilter filter that is provided with Acegi.
It does something similar. Just to adapt in your servlet.
See the code at :
or download the Acegi Security source to get the java file.
You may also use a security constraint in the web.xml to let the user access to the servlet only if he is authenticated.
look at the CMSAdmin portlet, to see how the servlet is setup, and add some security constraint (related to the corresponding prefix in the url...).
Hello again and thanks for your answer.
Unfortunately, I am still stuck...
I do not want to hand over the login info through the session, that's just ugly.
So I tried your second solution.
If I understand it correctly, the JBossIntegrationFilter basically just looks up "java:comp/env/security/subject" to extract the login info from that.
I tried that, but somehow looking up the subject always returns null, regardless of the actual portal login.
Am I still doing something wrong here?
By the way, I am using Jboss 4.0.5.GA with Portal 2.4.
Thanks for your insights and best regards,
I look at the CMSExportServlet in the jboss portal sources. It does not enforce security... so it is a bad track. sorry.
where is your servlet ?
calling the jndi service for the subject works with the filter put in web.xml of the portal-server.war.
This web app is the context where the sercurity domain is defined.
so if not in this context, then that is why the subject is not found
sounds logical if there are none defined in your web app, no ?
I am not sure, but sound logical...
I am not good enough at tomcat, security realm, domains, etc...
but I guess you can manage to set your web app to share the same authentification "domain" as the one of the portal, ie the one of portal-server.war
or look at jboss security ref guide, and how to secure a web app.
they explain how to set it in a web app, and compare with the portal-server.war web app.
hope it helps...