|
List Info
Thread: Authentication /Authorizaction / SOAP WebServices /JSR-181
|
|
| Authentication /Authorizaction / SOAP
WebServices /JSR-181 |
|
2007-04-02 12:21:52 |
|
Hi!
All examples I find in internet with lazslo are of the type:
REST OpenLaszlo SOLO without Authentication or Authorization...
or
SOAP to OpenLaszlo without Authentication or Authorization...
The common ground? No authentication or authorization...
Now, when I was building my first examples, using REST seemed like a
better option
(you only have to link the dataset with an URL, and "that is it") and
SOAP is far more complicated
because you have to link a remote call to a WSDL url, send the XML
describing the operation you want to perform, and
bind that remote call to the dataset. (It is easy to see why most
examples are built the REST way)
But, since all examples I can find don't care about authorization or
authentication then I can't find an example on how to handle issues
like:
-Is the current user logged in? (authentication)
-Is the current user authorized to perform that action?
How can I communicate with Laszlo using SOAP authentication? is there
an example somewhere?
I thought about using basic authentication (I know that way, the web
server "protects" the resources" until the user is authenticated)...
but, then I get in to a problem: it is not performance wise to have 1
lzx file for each action I want to perform (every lzx "page" weights
160 Kbytes), therefore, it is better if I have only a small number of
lzx pages, and I use one of Laszlo's components (like "windows") for
application navigation, but the I get into a different problem... who
can I be sure that the current user is really authorized to see a
particular window (or perform a particular action), basic web
server security is useless now (I can navigate around the
application and the web server doesn't even care), I have to go and
ask the webserver each time "do I have permission to do this", "do I
have permission to do that"... and for that, I have to remember "who am
I", I guess that for that I need "session Id" handling... but again.. I
just can't find any examples on how to "keep" session handling working
in openlaszlo (do I have to do something? Do I have to do nothing? is
it "right" to use session id handling for SOAP "stateless" web services
(built with JSR-181)? or using session id handling forces me to go the
REST way? )
I guess someone knows the answer to all this questions... but I just
can't find good examples on how to deal with this...
Any recommendations? examples? code you could share? (I promise will
share my example with the community... if I find the way to build it)
(I that when the new chapters of http://www.manning.com/klein/ are
released, some of this doubts are cleared... although I don't have high
hopes, because the book seems to be going the "REST OpenLaszlo SOLO
without Authentication or Authorization Way"... but, of course I could
be wrong)
Thanks a lot!
bye
Francisco
|
| Re: Authentication /Authorizaction /
SOAP WebServices /JSR-181 |
 
Brazil |
2007-04-13 08:04:28 |
Hi Francisco,
here i use authentication and autorization on my laszlo
program. I use
REST, not WebService.
to discover how to do that i search and talk a lot on the
laszlo
forum. The documentation on that time (laszlo 3.3.3) was not
very clear
on how to do that.
well... the magic to gain authentication is just set
yourself the
JSESSION cook, instead of reling on laszlo. Something like
this:
<dataset name="dsRQ" type="http"
src="${'/calamb/Servlets/ServBanco;jsessionid='+sid}&qu
ot;
request="false"
querytype="POST"/>
where "sid" is a global variable setted somehow.
On my case, i made a
servlet that receive a user just after he logs and create a
dinamic html
page to embed the laszlo swf. This dinamic html have the sid
variable
passed to lzx. here is the code of this servlet: (get
function. Sorry
for not have the time to translate, is in portuguese, but i
think u can
understand the mean)
public void doGet(HttpServletRequest req,
HttpServletResponse res)
throws IOException {
res.setContentType ("text/html");
res.setCharacterEncoding(GlobalVars.XML_ENCODING_STRING);
ll.setLevel(Level.INFO);
ll.info("----------------------------- entrou
em Principal
-----------------");
String sid = req.getParameter("sid");
ll.info("sid recuperado: "+sid);
PrintWriter pf = res.getWriter();
if (sid == null)
{
pf.println("<html><body>ERRO:
Năo foi possível recuperar
cookie de usuário logado.</body></html>");
return;
}
sid = sid.trim();
if (sid.equals(""))
{
pf.println("<html><body>ERRO:
Cookie de usuário logado
recuperado está em
branco.</body></html>");
return;
}
String html = "<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01
Transitional//EN1">";
html += "n<html><head>";
html += "n<meta
http-equiv="Content-Type"
content="text/html;
charset="+GlobalVars.XML_ENCODING_STRING+""&
gt;";
html += "n</head>";
html += "n<body>";
html += "n<object
classid="clsid 27CDB6E-
AE6D-11cf-96B8-444553540000"
codebase="http://download.macromedia.com/pub/
shockwave/cabs/flash/swflash.cab#version=6,0,29,0"
width="1000" height="710"
align="middle">";
html += "n <param
name="quality"
value="high">";
html += "n <param name="movie"
value="" +
GlobalVars.LPSServerContext + GlobalVars.AppServerContext +
"/main.lzx?lzt=swf&sid="+sid+"">
";
html += "n <param
name="quality"
value="high">";
html += "n <embed src="" +
GlobalVars.LPSServerContext +
GlobalVars.AppServerContext +
"/main.lzx?lzt=swf&sid="+sid+""
width="1000" height="710"
align="middle" quality="high"
pluginspage="http://ww
w.macromedia.com/go/getflashplayer"
type="application/x-shockwave-flash"></emb
ed></object>";
html += "n</body></html>";
pf.println(html);
}
well, like u see i am an adepted of the global variables
 i
know
this is not beauty but hey, i just throw my
"goto"s and "gosub"s. Let
me be with the global variables a bit more ;)
continuing, now on every http request u have to do, you
always pass in
the request the sid variable. This way the server can see
if you are
logged.
to gain authorization i developped one simple protocol in
the way the
request XML is constructed. This way the server can consume
the XML on
the request and seek in the rigth place for the key that
define what the
user is going to do. If the key isnt there, the user is
dennied. So, in
this cenario, the responsability to assemble a xml request
is to the
view (laszlo datasets). The protocol isn't really needed i
think (its
is mainly for interoperability). But at minimum one variable
telling
what the user is willing to do.
i hope all this helps.
best regards,
Luís Eduardo.
Francisco Jose Peredo escreveu:
> Hi!
> All examples I find in internet with lazslo are of the
type:
> REST OpenLaszlo SOLO without Authentication or
Authorization...
> or
> SOAP to OpenLaszlo without Authentication or
Authorization...
>
> The common ground? No authentication or
authorization...
>
> Now, when I was building my first examples, using REST
seemed like a
> better option
> (you only have to link the dataset with an URL, and
"that is it") and
> SOAP is far more complicated
> because you have to link a remote call to a WSDL url,
send the XML
> describing the operation you want to perform, and
> bind that remote call to the dataset. (It is easy to
see why most
> examples are built the REST way)
>
> But, since all examples I can find don't care about
authorization or
> authentication then I can't find an example on how to
handle issues like:
> -Is the current user logged in? (authentication)
> -Is the current user authorized to perform that
action?
>
> How can I communicate with Laszlo using SOAP
authentication? is there
> an example somewhere?
> I thought about using basic authentication (/I know
that way, the web
> server "protects" the resources" until
the user is authenticated/)...
> but, then I get in to a problem: it is not performance
wise to have 1
> lzx file for each action I want to perform (every lzx
"page" weights
> 160 Kbytes), therefore, it is better if I have only a
small number of
> lzx pages, and I use one of Laszlo's components (like
"windows") for
> application navigation, but the I get into a different
problem... who
> can I be sure that the current user is really
authorized to see a
> particular window (/or perform a particular action/),
basic web server
> security is useless now (/I can navigate around the
application and
> the web server doesn't even care/), I have to go and
ask the webserver
> each time "do I have permission to do this",
"do I have permission to
> do that"... and for that, I have to remember
"who am I", I guess that
> for that I need "session Id" handling... but
again.. I just can't find
> any examples on how to "keep" session
handling working in openlaszlo
> (do I have to do something? Do I have to do nothing? is
it "right" to
> use session id handling for SOAP "stateless"
web services (built with
> JSR-181)? or using session id handling forces me to go
the REST way? )
>
> I guess someone knows the answer to all this
questions... but I just
> can't find good examples on how to deal with this...
>
> Any recommendations? examples? code you could share? (I
promise will
> share my example with the community... if I find the
way to build it)
> (I that when the new chapters of http://www.manning.com/
klein/ are
> released, some of this doubts are cleared... although I
don't have
> high hopes, because the book seems to be going the
"REST OpenLaszlo
> SOLO without Authentication or Authorization
Way"... but, of course I
> could be wrong)
>
> Thanks a lot!
> bye
> Francisco
>
>
>
|
|
| Re: Authentication /Authorizaction /
SOAP WebServices/JSR-181 |
|
2007-04-13 09:33:06 |
|
Hi!
Thanks for the example, will try, and tell you how did it go...
(Don't worry about the Portuguese sections, I speak Spanish, so
reading Portuguese is not that difficult for me)
Thanks again.
bye
Francisco
Luís Eduardo escribió:
suprasis.com.br" type="cite">
Hi Francisco,
here i use authentication and autorization on my laszlo program. I use
REST, not WebService.
to discover how to do that i search and talk a lot on the laszlo
forum. The documentation on that time (laszlo 3.3.3) was not very clear
on how to do that.
well... ; the magic to gain authentication is just set yourself the
JSESSION cook, instead of reling on laszlo. Something like this:
<dataset name="dsRQ" type="http"
src="${'/calamb/Servlets/ServBanco;jsessionid='+sid}"
; request="false" querytype="POST"/>
where "sid" is a global variable setted somehow. On my case, i made a
servlet that receive a user just after he logs and create a dinamic
html page to embed the laszlo swf. This dinamic html have the sid
variable passed to lzx. here is the code of this servlet: (get
function. Sorry for not have the time to translate, is in portuguese,
but i think u can understand the mean)
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws IOException {
; res.setContentType ("text/html");
; res.setCharacterEncoding(GlobalVars.XML_ENCODING_STRING);
; ll.setLevel(Level.INFO);
; ll.info("----------------------------- entrou em Principal
-----------------");
; String sid = req.getParameter("sid");
; ll.info("sid recuperado: "+sid);
; PrintWriter pf = res.getWriter();
; if (sid == null)
; {
; pf.println("<html><body>ERRO: Não foi possível
recuperar cookie de usuá;rio logado.<;/body></html>;");
; return;
; }
; sid = sid.trim();
; if (sid.equals(""))
; {
; pf.println("<html><body>ERRO: Cookie de usuá;rio
logado recuperado está; em branco.<;/body></html>;");
; return;
; }
; String html = "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
4.01 Transitional//EN1">;";
; html += "n<html><head>";
; html += "n<meta http-equiv="Content-Type"
content="text/html; charset="+GlobalVars.XML_ENCODING_STRING+"">";
; html += "n</head>";
; html += "n<body>";
; html += "n<object
classid="clsid27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0"
width="1000" height="710" align="middle">";
; html += "n <param name="quality" value="high">";
; html += "n <param name="movie" value="" +
GlobalVars.LPSServerContext + GlobalVars.AppServerContext +
"/main.lzx?lzt=swf&sid="+sid+"">";
; html += "n <param name="quality" value="high">";
; html += "n <embed src="" + GlobalVars.LPSServerC | |
27CDB6E-AE