I understand Andrew's concern, but (perhaps out of my well-documented
ignorance) I don't think what I'm going to describe will cause a
security breach. If there is a possible security issue, you can easily
add some additional checking at the start of your JSP page. With that
caveat, I'll give you a few thoughts on how I use custom JSP pages with
JSPWiki.
First, it helps to understand how JSPWiki works. This is a very brief
(and hopefully not oversimplified) overview. For a 'normal' request,
what JSPWiki does is handle it with Wiki.jsp, which sets the context and
then passes it to ViewTemplate.jsp, which takes care of maintaining the
site's look and feel (header, footer, left/right menus). Then
ViewTemplate.jsp invokes the JSP that handles the main content area for
the specific page being invoked; for normal pages this is
PageContent.jsp. The content manager page (PageContent.jsp in this
example) then invokes whatever is associated with the desired page,
typically a set of tabs (handled by, for example PageTab.jsp), which
then ends up loading the wikipage (typically a text file or a JDBC
database record).
What I do is reserve a keyword for the special page' name that are
implemented with JSP. For example, Wiki.jsp?page=MySpecialPage. I
modify ViewTemplate so that, if it gets that particular page, it behaves
somewhat differently than normal. Instead of invoking PageContent, the
customized ViewTemplate.jsp invokes my JSP. The instruction to do that
is something like this:
<div id="page"><wiki:Include page="../MySpecialPage.jsp"/></div>
[Note: you need to include a relative path to your JSP, whereever it
resides.]
If you need to pass a parameter to your JSP page, you might have a
different instruction, such as:
<div id="page"><jsp:include page="../MySpecialPage.jsp"> <jsp:param
name="parm1" value="<%=value1%>"/></jsp:include></div>
[Note: you might get the value of parm1 by parsing some elements
from the request, among other ways.]
Now you can treat your JSP (MySpecialPage) the same way you treat any
wikipage (from the LeftMenu or anyplace else). In order for this
'pseudo wikipage' to be properly recognized by JSPWiki, you may also
want to create a simple companion MySpecialPage (represented by a text
file). This companion page is basically empty, but I'd generally add an
ACL that prevents non-admins from reading or changing it.
What this does is allow you to integrate some special computational
routines into JSPWiki with only minor changes (though you need to keep
in mind that when you upgrade the templates, you need to carry the
ViewTemplate.jsp modifications forward too).
Having said all this, I invite Andrew to comment. He's a very smart guy
who knows a LOT more about security than do I. There may be some
problems in this approach I'm not aware of. (As I prepare to post this,
I notice that Andrew seems to have shifted his view a bit, but I'd still
like his comments about this approach.)
Matthias Käppler wrote:
Hi Terry,
2007/11/26, Terry Steichen <[EMAIL PROTECTED]>:
Matthias,
Upon rereading your post, I think you raise a couple of issues that are
kind of intertwined. First, you seem to be asking if you can display
your own JSP within JSPWiki (rather than being restricted to using only
text-based wikipages). Second (assuming that the answer is 'yes' to the
first question), you ask if you can use the 'specialPage' feature to
link to this new page from an ordinary wikipage (like LeftMenu).
The answer to both questions is 'yes', but there's a small amount of
customizing (to ViewTemplate.jsp) that needs to be done to accomplish
this. But before getting into how this can be done, maybe you can
confirm that you did indeed intend to ask the two above questions I
describe above (or perhaps add some additional clarification).
That is correct, I am writing a Dojo-driven semantic search interface, so I
have to run a lot of client-side JavaScript in that JSP. Of course I also
want the search be reachable from the LeftMenu (or any other wikipage). So,
yes, these two problems are connected and I'd be glad for any hints.
Best,
Matthias
