Skip to main content

Liferay DWR Session and Security made easy

In my previous article I discussed about using DWR inside Liferay Portlets, I wasn't happy with security this model provides. First lets have a look at what I proposed

ThemeDisplay themeDisplay = (ThemeDisplay)portletRequest.getAttribute(WebKeys.THEME_DISPLAY);
        portletRequest.getPortletSession().setAttribute("THEME_DISPLAY", themeDisplay, PortletSession.APPLICATION_SCOPE);

I was executing the above code inside my portlet's doView() and this puts themeDisplay or remoteUser object into portlet session's application scope, that means my DWR classes access the object like this

    @RemoteMethod
    public String echo(String msg, HttpSession session) {
        ThemeDisplay themeDisplay = (ThemeDisplay)  session.getAttribute("THEME_DISPLAY");
    }


The problems what I see in the above technique is

  1. User can access DWR methods even after his portlet session ends, since DWR Session and portlet session are different
  2. Inverse of the above, A DWR session can expire while portlet session is still active  

Comments

Anonymous said…
Have you find out any good solution?
March 1, 2011 at 11:06 AM
Post a Comment

Popular posts from this blog

Access multiple Databases in JPA

According to JPA specification we can define multiple "persistence-unit" elements (i.e. like below) in persistence.xml file and can easily refer them inside Dao layers as this. public class PolarDaoImpl {     @PersistenceContext(unitName="PolarPU")     protected EntityManager entityManager; -- } public class BearDaoImpl {     @PersistenceContext(unitName="BearPU")     protected EntityManager entityManager; -- } Checkout sample persistence.xml <?xml version="1.0" encoding="UTF-8"?> <persistence version="2.0" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">     <!-- Database 1 -->     <persistence-unit name="PolarPU" transaction-type="RESOURCE_LOCAL">        ...
3 comments
Read more

Validating CSV Files

What is CsvValidator ?   A Java framework which validates any CSV files something similar to XML validation using XSD. Why should I use this ?   You don't have to use this and in fact its easy to write something your own and also checkout its source code for reference. Why did I write this ?   Some of our projects integrate with third party application which exchanges information in CSV files so I thought of writing a generic validator which can be hooked in multiple projects or can be used by QA for integration testing. What is the license clause ?   GNU GPL v2 Are there any JUnit test cases for me checkout ?  Yes,  source How to integrate in my existing project ? Just add the Jar which can be downloaded from here  CsvValidator.jar  and you are good. Instantiate  CsvValidator c onstructor which takes these 3 arguements          // filename is the the file to be validated and here ...
7 comments
Read more
               Top 10 Apps missing in HP TouchPad Without these Apps my experience is only limited to browsing web pages, though WebOS is really better multitasking device than iOS but without commonly used Apps it's only limited. 1. Native YouTube App   - You can't just use finger to do everything on 60% YouTube.com                       2. Netflix - I love to do multitasking, with Netflix running and ability to do other stuff     3 Facebook - Most of the people always like to be connected all the time here   My Mistake Skype Video is working     4  Skype - Ability to do voice and video chat, and without this I need to keep my Mac on.   5 Google Talk - Ability to do voice, video chat...
16 comments
Read more