In EncryptedBlobSecurityTokenService, the method
getBlobCrypterSecurityToken contains the lines:
values.put(AbstractSecurityToken.Keys.OWNER.getKey(),
String.valueOf(userService.getUserById(regionWidget.getRegion
().getPage().getOwnerId()).getUsername()));
values.put(AbstractSecurityToken.Keys.VIEWER.getKey(), String.valueOf
(user.getUsername()));
Is there ever a situation where the owner of the page is not the current
user? If not, the calls
userService.getUserById(regionWidget.getRegion().getPage().getOwnerId
()).getUsername())
and
User user = userService.getAuthenticatedUser();
should be identical.
I am running into an issue generating a security token where I pass in a
dummy RegionWidget that has no associated region. If the 'OWNER' and
'VIEWER' properties are always set to the current authenticated user, the
getBlobCrypterSecurityToken can be safely modified to accommodate passing
in a dummy RegionWidget.
Let me know if this is the case.
