0 Replies Latest reply on Feb 29, 2008 8:36 AM by je le

    cross auth between jportal and dwr/servlet better solution t

    je le Newbie

      I convert a project from "form" submit based to dwr (ajax) submit. both work fine together.
      At the top security(login, portlet access) level i will use jboss.
      Like in any project :-) some actions must be valid only to some users. Since dwr is just servet, i must check user right here too.

      From the dwr servlet i succesfully have access to user and role module, but to know who is logged in, the only solution I found so far is by storing the user name into a session attribute.

      in portlet with admin/secure op :

      // somewhere in the doView
      String ruser = request.getRemoteUser();
       if (ruser != null) {
       PortletSession sss = request.getPortletSession(true);
       if (sss != null) {
       sss.setAttribute("ruser", ruser, PortletSession.APPLICATION_SCOPE);

      from a dwr class function
      WebContext ctx = WebContextFactory.get();
      HttpServletRequest req = ctx.getHttpServletRequest();
      HttpSession sss = req.getSession(false);
      if (sss != null) {
       String ruser = (String)sss.getAttribute("ruser");
       if( ruser !=null ){
       // user auth
       // now check againt jboss through role module etc.....

      So, yes it's working. when loggin out, jboss clean the session too.
      But i have 2 questions :
      1) is it really secure ?? can an exploit might hack into my dwr function ??? (there's always a risk, I meet hack easily ...)
      2) Is there a better solution, to get who's loggin in, direclty by asking jbossportal ???

      what I really need, is to have acces to the roles list of the logged in user making the request; that's all (I'm using ejb to external db and jackrabbit)