You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by "Dutertry, Nicolas" <Ni...@HRACCESS.com> on 2006/05/31 15:31:46 UTC

Changing role during user session

Hi,

I'd like the connected user to change his role in jetspeed but I haven't
been able to do it yet.
I wrote a simple example which shows my problem :
I have a security valve TestSecurityValve which creates the Subject with
"toto" as user principal and "employee" as role principal. If the http
session contains an attribute named "myrole", then the role principal used
in the subject is the value of the attribute instead of "employee".
Here is the code of the valve :

public class TestSecurityValve extends AbstractSecurityValve {

    protected Subject getSubject(RequestContext request) throws Exception {
        String role = (String)request.getSessionAttribute("myrole");
        if(role == null) {
            role = "employee";
            request.setSessionAttribute("myrole", role);
        }
	    
        Set principals = new HashSet();
        Principal userPrincipal = getUserPrincipal(request);
        principals.add(userPrincipal);
        principals.add(new RolePrincipalImpl(role));
        
        Subject subject = new Subject(true, principals, new HashSet(), new
HashSet());
        return subject;
    }

    protected Principal getUserPrincipal(RequestContext request) throws
Exception {
        return new UserPrincipalImpl("toto");
    }
}

To allow the user to change his role I have a Portlet ChangeRolePortlet. The
method processAction of this portlet sets the session attribute "myrole" to
"manager" :

public class ChangeRolePortletextends GenericPortlet {

    protected void doView(RenderRequest request, RenderResponse response)
throws IOException {
        response.setContentType("text/html");	
        RequestContext rq =
(RequestContext)request.getAttribute(RequestContext.REQUEST_PORTALENV);
        PrintWriter pw = response.getWriter(); 
        pw.println("<p>");
        pw.println("role : " + myrole);
        pw.println("</p>");	
        pw.println("<p>");
        pw.println("<a href=\"" + response.createActionURL() +
"\">manager</a>");
        pw.println("</p>");	
    }
    
    public void processAction(ActionRequest request, ActionResponse
response) {
        RequestContext rq =
(RequestContext)request.getAttribute(RequestContext.REQUEST_PORTALENV);
        rq.setSessionAttribute("myrole", "manager");
    }
}


On my jetspeed, I have some pages available only for role "employee" and
other pages only available for role "manager".
When I first access jetspeed, I have the role "employee" and I see the pages
available for employees.
When I change the role with ChangeRolePortlet, I can see the new role in the
portlet BUT I still see the employee pages instead of the manager pages.
It seems that there is a caching mechanism for the role if the user
principal doesn't change.
What should I do to allow the user to change his role ?

Regards,
--
Nicolas Dutertry

Re: Changing role during user session

Posted by David Sean Taylor <da...@bluesunrise.com>.

Dutertry, Nicolas wrote:
> Hi,
> 
> I'd like the connected user to change his role in jetspeed but I haven't
> been able to do it yet.
> I wrote a simple example which shows my problem :
> I have a security valve TestSecurityValve which creates the Subject with
> "toto" as user principal and "employee" as role principal. If the http
> session contains an attribute named "myrole", then the role principal used
> in the subject is the value of the attribute instead of "employee".
> Here is the code of the valve :
> 
> public class TestSecurityValve extends AbstractSecurityValve {
> 
>     protected Subject getSubject(RequestContext request) throws Exception {
>         String role = (String)request.getSessionAttribute("myrole");
>         if(role == null) {
>             role = "employee";
>             request.setSessionAttribute("myrole", role);
>         }
> 	    
>         Set principals = new HashSet();
>         Principal userPrincipal = getUserPrincipal(request);
>         principals.add(userPrincipal);
>         principals.add(new RolePrincipalImpl(role));
>         
>         Subject subject = new Subject(true, principals, new HashSet(), new
> HashSet());
>         return subject;
>     }
> 
>     protected Principal getUserPrincipal(RequestContext request) throws
> Exception {
>         return new UserPrincipalImpl("toto");
>     }
> }

Im not sure how these roles persist over time.
If you were to use the Role Manager, you could persist the roles in the 
jetspeed database and then you wouldnt need your own implementation of a 
security valve.  See the RoleDetails portlet for an example of accessing 
the Role Manager in a portlet (see below)


public class RoleDetails extends BrowserPortlet
{
     private UserManager userManager;

     public void init(PortletConfig config)
     throws PortletException
     {
         super.init(config);
         roleManager = (RoleManager) 
getPortletContext().getAttribute(CommonPortletServices.CPS_ROLE_MANAGER_COMPONENT);
         if (null == roleManager)
         {
             throw new PortletException("Failed to find the Role Manager 
on portlet initialization");
         }
     }


jetspeed-services.xml in your webapps WEB-INF:


	<js:services>
         <js:service name='RoleManager'/>
	</js:services>


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org