You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@rave.apache.org by Robert O'neill <ro...@us.ibm.com> on 2012/11/27 20:50:52 UTC

Generating a security token in rave


In EncryptedBlobSecurityTokenService, the method
getBlobCrypterSecurityToken contains the lines:

values.put(AbstractSecurityToken.Keys.OWNER.getKey(),
           String.valueOf(userService.getUserById(regionWidget.getRegion
().getPage().getOwnerId()).getUsername()));
values.put(AbstractSecurityToken.Keys.VIEWER.getKey(), String.valueOf
(user.getUsername()));

Is there ever a situation where the owner of the page is not the current
user? If not, the calls

userService.getUserById(regionWidget.getRegion().getPage().getOwnerId
()).getUsername())

and

User user = userService.getAuthenticatedUser();

should be identical.

I am running into an issue generating a security token where I pass in a
dummy RegionWidget that has no associated region. If the 'OWNER' and
'VIEWER' properties are always set to the current authenticated user, the
getBlobCrypterSecurityToken can be safely modified to accommodate passing
in a dummy RegionWidget.

Let me know if this is the case.

RE: Generating a security token in rave

Posted by "Franklin, Matthew B." <mf...@mitre.org>.

>-----Original Message-----
>From: Robert O'neill [mailto:roneill@us.ibm.com]
>Sent: Tuesday, November 27, 2012 2:51 PM
>To: Rave Dev
>Subject: Generating a security token in rave
>
>
>
>In EncryptedBlobSecurityTokenService, the method
>getBlobCrypterSecurityToken contains the lines:
>
>values.put(AbstractSecurityToken.Keys.OWNER.getKey(),
>           String.valueOf(userService.getUserById(regionWidget.getRegion
>().getPage().getOwnerId()).getUsername()));
>values.put(AbstractSecurityToken.Keys.VIEWER.getKey(), String.valueOf
>(user.getUsername()));
>
>Is there ever a situation where the owner of the page is not the current
>user? If not, the calls
>
>userService.getUserById(regionWidget.getRegion().getPage().getOwnerId
>()).getUsername())
>
>and
>
>User user = userService.getAuthenticatedUser();
>
>should be identical.
>
>I am running into an issue generating a security token where I pass in a
>dummy RegionWidget that has no associated region. If the 'OWNER' and
>'VIEWER' properties are always set to the current authenticated user, the
>getBlobCrypterSecurityToken can be safely modified to accommodate passing
>in a dummy RegionWidget.
>
>Let me know if this is the case.

This is only the case when viewing dashboard pages that you created.  In profiles, the owner is the subject of the page.  You could autowire in the PageService instance into your new endpoint and lookup the page by id (assuming you pass that in the REST call).