Tribune

Home » Liferay Portal » English » 3. Development

Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
toggle
kehsihba eejrenab
Liferay URL issue : Need to identify whether the url is created by some oth
16 gennaio 2013 23.09
Risposta

kehsihba eejrenab

Punteggio: Junior Member

Messaggi: 82

Data di Iscrizione: 15 luglio 2009

Messaggi recenti

In our project we have a requirement of sharing parameters between various portlets using URL.
the sample url is ,
http://localhost:8080/web/guest/test2?p_p_id=senderportlet_WAR_IPCDemoportlet_INSTANCE_qa1Y&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=2&_senderportlet_WAR_IPCDemoportlet_INSTANCE_qa1Y_paramval=1234


The end of the url has "paramval=1234". The url is read by a portlet on the same page(Reciever portlet) which fetches a document from a custom database.

The problem occurs when a user directly types the url on the browser with different docuement number. He gets access to the documents.The reciever portlet doesn't understand whether the url is created generated by other portlets on the page or directly typed on the browser.

Is there a way yo identify in the reciever portlet's lifecycle methods whether the url is created by some other portlet or typed by user directly?
Oliver Bayer
RE: Liferay URL issue : Need to identify whether the url is created by some
17 gennaio 2013 1.03
Risposta

Oliver Bayer

Punteggio: Liferay Master

Messaggi: 875

Data di Iscrizione: 18 febbraio 2009

Messaggi recenti

Hi,

I don't think you can easily distinguish between an url created by your portlet and one modified by a user. The better approach would be to implement some sort of permission checking for your receiver portlet (you can use the permissionChecker object for it). Doing it that way you can be asured that a user is only seeing documents for which he has the permission for (even if he's guessing document numbers).

HTH Oli
kehsihba eejrenab
RE: Liferay URL issue : Need to identify whether the url is created by some
17 gennaio 2013 1.16
Risposta

kehsihba eejrenab

Punteggio: Junior Member

Messaggi: 82

Data di Iscrizione: 15 luglio 2009

Messaggi recenti

Thanks for the reply Oliver.

The problem here is . The user is already logged in and his session is active.
And now he opens another tab and writes the url directly in the browser with changed param values and gets access to the documents.
We are asked to restrict the direct url access and allow only if the url is generated from some Caller portlet.

Is there any other way to make the reciever portlet know that the request is from a portlet and not directly typed url.
Jan Geißler
RE: Liferay URL issue : Need to identify whether the url is created by some
17 gennaio 2013 2.32
Risposta

Jan Geißler

Punteggio: Expert

Messaggi: 358

Data di Iscrizione: 5 luglio 2011

Messaggi recenti

This is technically impossible as all WebApplications are stateless. You do not have any possibility to check if a URL is typed in the Browser or generated by a caller portlet. What you want to do is definatly not possible the way you want to achieve it. Only thing could be to create some random HASH value which gets shared for a user or so. But the easiest way would be implementing permission checks, if a User has the permission to view a resource or not.
kehsihba eejrenab
RE: Liferay URL issue : Need to identify whether the url is created by some
17 gennaio 2013 3.12
Risposta

kehsihba eejrenab

Punteggio: Junior Member

Messaggi: 82

Data di Iscrizione: 15 luglio 2009

Messaggi recenti

Thanks for the reply.

We are starting on it with a new approach using shared portlet session.

PortletSession psession=actionRequest.getPortletSession();
String val="True";
psession.setAttribute( "LIFERAY_SHARED_mySpecialVar", val,PortletSession.APPLICATION_SCOPE);

we could set a value inside a variable and put it in session from portlet A and read the value from portlet B and make the sahred variable as "false".
But, on deploying them on the same portal page.
Portlet B's doview() is called first and it cant find any value in the session.
Then , PortletA's doview() is called.

Can you suggest me how to handle this situation.
Jan Geißler
RE: Liferay URL issue : Need to identify whether the url is created by some
17 gennaio 2013 3.35
Risposta

Jan Geißler

Punteggio: Expert

Messaggi: 358

Data di Iscrizione: 5 luglio 2011

Messaggi recenti

Actually, I can't help you with that. Also I do think this will not work. I think I would try to do some AuthCode Code logic and decrypt it in the parameters.
Maybe you could set the sessionValue in the RenderMethod of portlet b, as portlet a get's fired first. But you will face a Problem if you change the portlets on that page. I would have to give this some serious thoughts, but unfortunatly I don't have the time for that right now.