Cubehead <cubehead <at> gmail.com> writes: > > Hi all, > > I wish to create a JSR-168 compliant portlet that will display a list of > files with meta-data and then provide a link download the binary file. > > The files will not be public and access control will be on a user by user > basis. > > Has anyone figured out a way to do this? > > thanks kindly, > Cubehead >
Cubehead, IMHO, the java community has forgotten that the web was founded on file downloads when they came up with JSR-168. I believe (and hope) that the next release of the portlet/portal spec will address file downloads from within the context of a portlet. I had the exact same problem and have solved it for the jetspeed 2 environment on tomcat. Here is a high-level description of how I have approached this problem: I have a servlet/portlet application, running in a context called 'my-application' (for example). In this application, I have a portlet which displays meta-data about some binary files and then provides links to download them. I do not create the download links as portal generated ones but rather URIs to a download servlet, which is also in the 'my-application' application. Now for adding security. What I have done is to enable SSO in tomcat. Then, I move the jetspeed JAASRealm from the jetspeed context config element to the localhost engine config element in the appropriate tomcat config files. Additionally, I have moved the tomcat manager UserDatabase realm from the localhost engine config element servlet.xml to the manager application manager.xml config file. This leaves the manager app working against the usual tomcat-users.xml file for its authentication. Now, if I authenticate against jetspeed as the admin user with the admin role, when I click the download link (which will bypass jetspeed) and hit my download servlet, under SSO, I will be recognized as the admin user in the admin role in that environment (using security methods on the request object). Now you have a variety of options for enforcing security. If you just need blanket role-based security against the download servlet, then the easiest way to accomplish this is using the typical security constraint configurations in the web.xml file. However, in your case (and in mine), you need user-by-user security enforcement (no doubt on the requested resource to download). Since you have access to the user principal name, you can use that within your servlet code to do a security check and return not authorized if appropriate. If you need more info than just their user name and roles to do your security check, this is where it gets a little trickier. You will need to look up any additional info in whatever data store that information is kept. If it is jetspeed's default database where it is kept, then you will want to move jetspeed's jdbc/jetspeed JNDI data source to the container level as well so that you can access it from your serlvet. Then you will need to do the appropriate SQL lookups. If it *is* jetspeed stored data you are after, there may be a way to get access to the coarse grained security services and user attribute manager from the servlet code, but I have not figured that out yet. HTH, aaron --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
