You might try encoding the session id in the trustedjson section of the security token.
The token makes it's way most of the way down to the Fetcher. Might be less refactoring for you. From: Dennis Ju <[email protected]> To: [email protected], Date: 11/07/2011 09:39 PM Subject: Re: Accessing "protected" gadgets? Hi guys, So I've been trying to do a POC to pass my browser session to Shindig so that I can copy the session cookies to the http request created by Shindig. However, I seem to be doing quite a lot of refactoring of code to pass my session instance from the servlet down to the HttpFetcher. Is there a more elegant solution that others have implemented? I'd like to avoid so much refactoring for obvious maintenance concerns. Thanks! Dennis On Tue, Nov 1, 2011 at 7:20 AM, Ciancetta, Jesse E. <[email protected]> wrote: > >-----Original Message----- > >From: Dennis Ju [mailto:[email protected]] > >Sent: Monday, October 31, 2011 3:41 PM > >To: [email protected] > >Subject: Re: Accessing "protected" gadgets? > > > >Right you are. > > > >Here are the two threads I've found on the topic: > > > >http://www.mail-archive.com/[email protected]/msg02610.html > >http://www.mail-archive.com/[email protected]/msg02915.html > > Yup -- those are the ones I was thinking of. Thanks for digging them up. > > >Among the latest relevant discussion points is your (Jesse) previous post > >here <http://www.mail- > >archive.com/[email protected]/msg02995.html>. > >Has anybody successfully implemented running trusted and untrusted > >gadgets > >on separate domains? > > We've implemented it as I described in the thread you referenced above and > its worked out really well. > > >It seems Maxwell Xandeco and Nuwan Bandara may have workable solutions > >(albeit only assuming trusted domains)? > > Yeah -- there were a bunch of different ideas discussed in those threads. > Let us know if you have any more specific questions. > > >Thanks, > >Dennis > > > >On Mon, Oct 31, 2011 at 10:53 AM, Ciancetta, Jesse E. > ><[email protected]>wrote: > > > >> >-----Original Message----- > >> >From: Dennis Ju [mailto:[email protected]] > >> >Sent: Monday, October 31, 2011 1:33 PM > >> >To: [email protected] > >> >Subject: Accessing "protected" gadgets? > >> > > >> >Hello, > >> > > >> >Is there a way for Shindig to access a gadget XML who's URL requires > >> >authentication? We want to allow hosting private gadgets that require a > >> >user to be logged in and authorized to view the gadget. I would imagine > >> >that this has been a requirement for others using Shindig as well. > >> > >> Yeah -- this has definitely come up and been discussed on the mailing > list > >> in the past. I don't recall if there was any resolution though -- have > you > >> seen any of those discussions? Would you mind trying to dig them up in > the > >> list archives and sending out some pointers to those discussions so we > can > >> all review them? > >> > >> >Right now, the problem is that > >DefaultGadgetSpecFactory.getGadgetSpec() > >> >calls AbstractSpecFactory.fetchFromNetwork(), which in turn creates its > >> own > >> >HttpRequest object to retrieve the XML content. > >> > > >> >I'm thinking I'll need to use Guice to override getGadgetSpec() or > >> >fetchFromNetwork()? Or is there a better way to do this? > >> > > >> >Any help would be appreciated. > >> > > >> >Thx! > >> >Dennis > >> > > > > > > > >-- > > > >*Italy Symposium* > >18 November 2011 > >Register today: www.liferay.com/Italy2011 > -- *Italy Symposium* 18 November 2011 Register today: www.liferay.com/Italy2011
