[Laszlo-user] Authentication /Authorizaction / SOAP WebServices/JSR-181

Francisco Jose Peredo fperedo at sefintab.gob.mx
Fri Apr 13 07:33:06 PDT 2007 

Hi!
Thanks for the example, will try, and tell you how did it go...
(/Don't worry about the Portuguese sections, I speak Spanish, so reading 
Portuguese is not that difficult for me/)
Thanks again.
bye
Francisco

Luís Eduardo escribió:
>
>
>  Hi Francisco,
>
>  here i use authentication and autorization on my laszlo program. I 
> use REST, not WebService.
>  to discover how to do that i search and talk a lot on the laszlo 
> forum. The documentation on that time (laszlo 3.3.3) was not very 
> clear on how to do that.
>
>  well...  the magic to gain authentication is just set yourself the 
> JSESSION cook, instead of reling on laszlo.  Something like this:
>
> <dataset name="dsRQ" type="http" 
> src="${'/calamb/Servlets/ServBanco;jsessionid='+sid}"
>            request="false" querytype="POST"/>
>
> where "sid" is a global variable setted somehow.  On my case, i made a 
> servlet that receive a user just after he logs and create a dinamic 
> html page to embed the laszlo swf. This dinamic html have the sid 
> variable passed to lzx.  here is the code of this servlet:  (get 
> function.  Sorry for not have the time to translate, is in portuguese, 
> but i think u can understand the mean)
>
> public void doGet(HttpServletRequest req, HttpServletResponse res) 
> throws IOException {
>        res.setContentType ("text/html");
>        res.setCharacterEncoding(GlobalVars.XML_ENCODING_STRING);
>              ll.setLevel(Level.INFO);
>        ll.info("----------------------------- entrou em Principal  
> -----------------");
>        String sid = req.getParameter("sid");
>        ll.info("sid recuperado: "+sid);
>              PrintWriter pf = res.getWriter();
>              if (sid == null)
>        {
>            pf.println("<html><body>ERRO: Não foi possível recuperar 
> cookie de usuário logado.</body></html>");
>            return;
>        }
>              sid = sid.trim();
>        if (sid.equals(""))
>        {
>            pf.println("<html><body>ERRO: Cookie de usuário logado 
> recuperado está em branco.</body></html>");
>            return;
>        }
>              String html = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 
> 4.01 Transitional//EN1\">";
>        html += "\n<html><head>";
>        html += "\n<meta http-equiv=\"Content-Type\" 
> content=\"text/html; charset="+GlobalVars.XML_ENCODING_STRING+"\">";
>        html += "\n</head>";
>        html += "\n<body>";
>        html += "\n<object 
> classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" 
> codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0\" 
> width=\"1000\" height=\"710\" align=\"middle\">";
>        html += "\n  <param name=\"quality\" value=\"high\">";
>        html += "\n  <param name=\"movie\" value=\"" + 
> GlobalVars.LPSServerContext + GlobalVars.AppServerContext + 
> "/main.lzx?lzt=swf&sid="+sid+"\">";
>        html += "\n  <param name=\"quality\" value=\"high\">";
>        html += "\n  <embed src=\"" + GlobalVars.LPSServerContext + 
> GlobalVars.AppServerContext + "/main.lzx?lzt=swf&sid="+sid+"\" 
> width=\"1000\" height=\"710\" align=\"middle\" quality=\"high\" 
> pluginspage=\"http://www.macromedia.com/go/getflashplayer\" 
> type=\"application/x-shockwave-flash\"></embed></object>";
>        html += "\n</body></html>";
>              pf.println(html);
>    }
>
>  well, like u see i am an adepted of the global variables  :)  i know 
> this is not beauty but hey, i just throw my "goto"s  and "gosub"s. Let 
> me be with the global variables a bit more  ;)
>
>  continuing, now on every http request u have to do, you always pass 
> in the request the sid variable.  This way the server can see if you 
> are logged.
>
>  to gain authorization i developped one simple protocol in the way the 
> request XML is constructed. This way the server can consume the XML on 
> the request and seek in the rigth place for the key that define what 
> the user is going to do.  If the key isnt there, the user is dennied. 
> So, in this cenario, the responsability to assemble a xml request is 
> to the view (laszlo datasets).  The protocol isn't really needed i 
> think (its is mainly for interoperability). But at minimum one 
> variable telling what the user is willing to do.
>
>  i hope all this helps.
>
>
>  best regards,
>
>        Luís Eduardo.
>
>
>
> Francisco Jose Peredo escreveu:
>
>> Hi!
>> All examples I find in internet with lazslo are of the type:
>> REST  OpenLaszlo SOLO without Authentication or Authorization...
>> or
>> SOAP to OpenLaszlo without Authentication or Authorization...
>>
>> The common ground? No authentication or authorization...
>>
>> Now, when I was building my first examples, using REST seemed like a 
>> better option
>> (you only have to link the dataset with an URL, and "that is it") and 
>> SOAP is far more complicated
>> because you have to link a remote call  to a WSDL url, send the XML 
>> describing the operation you want to perform, and
>> bind that remote call to the dataset. (It is easy to see why most 
>> examples are built the REST way)
>>
>> But, since all examples I can find don't care about authorization or 
>> authentication then I can't find an example on how to handle issues 
>> like:
>> -Is the current user logged in? (authentication)
>> -Is the current user authorized to perform that action?
>>
>> How can I communicate with Laszlo using SOAP authentication? is there 
>> an example somewhere?
>> I thought about using basic authentication (/I know that way, the web 
>> server "protects" the resources" until the user is authenticated/)... 
>> but, then I get in to a problem: it is not performance wise to have 1 
>> lzx file for each action I want to perform (every lzx "page" weights 
>> 160 Kbytes), therefore, it is better if I have only a small number of 
>> lzx pages, and I use one of Laszlo's components (like "windows") for 
>> application navigation, but the I get into a different problem... who 
>> can I be sure that the current user is really authorized to see a 
>> particular window (/or perform a particular action/), basic web 
>> server security is useless now (/I can navigate around the 
>> application and the web server doesn't even care/), I have to go and 
>> ask the webserver each time "do I have permission to do this", "do I 
>> have permission to do that"... and for that, I have to remember "who 
>> am I", I guess that for that I need "session Id" handling... but 
>> again.. I just can't find any examples on how to "keep" session 
>> handling working in openlaszlo (do I have to do something? Do I have 
>> to do nothing? is it "right" to use session id handling for SOAP 
>> "stateless" web services (built with JSR-181)? or using session id 
>> handling forces me to go the REST way? )
>>
>> I guess someone knows the answer to all this questions... but I just 
>> can't find good examples on how to deal with this...
>>
>> Any recommendations? examples? code you could share? (I promise will 
>> share my example with the community... if I find the way to build it) 
>> (I that when the new chapters of http://www.manning.com/klein/ are 
>> released, some of this doubts are cleared... although I don't have 
>> high hopes, because the book seems to be going the "REST OpenLaszlo 
>> SOLO without Authentication or Authorization Way"... but, of course I 
>> could be wrong)
>>
>> Thanks a lot!
>> bye
>> Francisco
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.openlaszlo.org/pipermail/laszlo-user/attachments/20070413/385f0459/attachment.html

More information about the Laszlo-user mailing list