[Laszlo-user] Authentication /Authorizaction / SOAP WebServices /JSR-181

Fri Apr 13 06:04:28 PDT 2007

  Hi Francisco,

  here i use authentication and autorization on my laszlo program. I use 
REST, not WebService.
  to discover how to do that i search and talk a lot on the laszlo 
forum. The documentation on that time (laszlo 3.3.3) was not very clear 
on how to do that.

  well...  the magic to gain authentication is just set yourself the 
JSESSION cook, instead of reling on laszlo.  Something like this:

<dataset name="dsRQ" type="http" 
src="${'/calamb/Servlets/ServBanco;jsessionid='+sid}"
            request="false" querytype="POST"/>

 where "sid" is a global variable setted somehow.  On my case, i made a 
servlet that receive a user just after he logs and create a dinamic html 
page to embed the laszlo swf. This dinamic html have the sid variable 
passed to lzx.  here is the code of this servlet:  (get function.  Sorry 
for not have the time to translate, is in portuguese, but i think u can 
understand the mean)

public void doGet(HttpServletRequest req, HttpServletResponse res) 
throws IOException {
        res.setContentType ("text/html");
        res.setCharacterEncoding(GlobalVars.XML_ENCODING_STRING);

        ll.setLevel(Level.INFO);
        ll.info("----------------------------- entrou em Principal  
-----------------");
        String sid = req.getParameter("sid");
        ll.info("sid recuperado: "+sid);

        PrintWriter pf = res.getWriter();

        if (sid == null)
        {
            pf.println("<html><body>ERRO: Não foi possível recuperar 
cookie de usuário logado.</body></html>");
            return;
        }

        sid = sid.trim();
        if (sid.equals(""))
        {
            pf.println("<html><body>ERRO: Cookie de usuário logado 
recuperado está em branco.</body></html>");
            return;
        }

        String html = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 
Transitional//EN1\">";
        html += "\n<html><head>";
        html += "\n<meta http-equiv=\"Content-Type\" 
content=\"text/html; charset="+GlobalVars.XML_ENCODING_STRING+"\">";
        html += "\n</head>";
        html += "\n<body>";
        html += "\n<object 
classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" 
codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0\" 
width=\"1000\" height=\"710\" align=\"middle\">";
        html += "\n  <param name=\"quality\" value=\"high\">";
        html += "\n  <param name=\"movie\" value=\"" + 
GlobalVars.LPSServerContext + GlobalVars.AppServerContext + 
"/main.lzx?lzt=swf&sid="+sid+"\">";
        html += "\n  <param name=\"quality\" value=\"high\">";
        html += "\n  <embed src=\"" + GlobalVars.LPSServerContext + 
GlobalVars.AppServerContext + "/main.lzx?lzt=swf&sid="+sid+"\" 
width=\"1000\" height=\"710\" align=\"middle\" quality=\"high\" 
pluginspage=\"http://www.macromedia.com/go/getflashplayer\" 
type=\"application/x-shockwave-flash\"></embed></object>";
        html += "\n</body></html>";

        pf.println(html);
    }

  well, like u see i am an adepted of the global variables  :)  i know 
this is not beauty but hey, i just throw my "goto"s  and "gosub"s. Let 
me be with the global variables a bit more  ;)

  continuing, now on every http request u have to do, you always pass in 
the request the sid variable.  This way the server can see if you are 
logged.

  to gain authorization i developped one simple protocol in the way the 
request XML is constructed. This way the server can consume the XML on 
the request and seek in the rigth place for the key that define what the 
user is going to do.  If the key isnt there, the user is dennied. So, in 
this cenario, the responsability to assemble a xml request is to the 
view (laszlo datasets).  The protocol isn't really needed i think (its 
is mainly for interoperability). But at minimum one variable telling 
what the user is willing to do.

  i hope all this helps.

  best regards,

        Luís Eduardo.

Francisco Jose Peredo escreveu:

> Hi!
> All examples I find in internet with lazslo are of the type:
> REST  OpenLaszlo SOLO without Authentication or Authorization...
> or
> SOAP to OpenLaszlo without Authentication or Authorization...
>
> The common ground? No authentication or authorization...
>
> Now, when I was building my first examples, using REST seemed like a 
> better option
> (you only have to link the dataset with an URL, and "that is it") and 
> SOAP is far more complicated
> because you have to link a remote call  to a WSDL url, send the XML 
> describing the operation you want to perform, and
> bind that remote call to the dataset. (It is easy to see why most 
> examples are built the REST way)
>
> But, since all examples I can find don't care about authorization or 
> authentication then I can't find an example on how to handle issues like:
> -Is the current user logged in? (authentication)
> -Is the current user authorized to perform that action?
>
> How can I communicate with Laszlo using SOAP authentication? is there 
> an example somewhere?
> I thought about using basic authentication (/I know that way, the web 
> server "protects" the resources" until the user is authenticated/)... 
> but, then I get in to a problem: it is not performance wise to have 1 
> lzx file for each action I want to perform (every lzx "page" weights 
> 160 Kbytes), therefore, it is better if I have only a small number of 
> lzx pages, and I use one of Laszlo's components (like "windows") for 
> application navigation, but the I get into a different problem... who 
> can I be sure that the current user is really authorized to see a 
> particular window (/or perform a particular action/), basic web server 
> security is useless now (/I can navigate around the application and 
> the web server doesn't even care/), I have to go and ask the webserver 
> each time "do I have permission to do this", "do I have permission to 
> do that"... and for that, I have to remember "who am I", I guess that 
> for that I need "session Id" handling... but again.. I just can't find 
> any examples on how to "keep" session handling working in openlaszlo 
> (do I have to do something? Do I have to do nothing? is it "right" to 
> use session id handling for SOAP "stateless" web services (built with 
> JSR-181)? or using session id handling forces me to go the REST way? )
>
> I guess someone knows the answer to all this questions... but I just 
> can't find good examples on how to deal with this...
>
> Any recommendations? examples? code you could share? (I promise will 
> share my example with the community... if I find the way to build it) 
> (I that when the new chapters of http://www.manning.com/klein/ are 
> released, some of this doubts are cleared... although I don't have 
> high hopes, because the book seems to be going the "REST OpenLaszlo 
> SOLO without Authentication or Authorization Way"... but, of course I 
> could be wrong)
>
> Thanks a lot!
> bye
> Francisco
>
>
>