Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
8 replies Latest Post - ‏2013-09-03T18:11:32Z by dan_darnell
ENO2010
ENO2010
134 Posts
ACCEPTED ANSWER

Pinned topic RBD 8.5 - RUI and JSF

‏2013-08-26T12:51:56Z |

Hi,

 

I would like to know if it is possible to share data between JSF and RUI handler.

I have a JSF login page and when the login is successful the customer is forwarded to an EGL RUI application.

In the EGL RUI application, I need the userid from the login page. Is it possible ?

 

regards

 

Eric

 

  • dan_darnell
    dan_darnell
    973 Posts
    ACCEPTED ANSWER

    Re: RBD 8.5 - RUI and JSF

    ‏2013-08-26T15:53:48Z  in response to ENO2010

    There are a number of ways to accomplish this. Two that immediately come to mind are:

    1. When you invoke the RUI app, include the user ID as a URL parameter. Then, in the targeted RUI app, parse the user ID from the parameters. (In your RUI app you can find the URL parms in the variable "document.location".)

    2. In the JSF app, put the user ID in a cookie. Then retrieve it in the RUI app.

    --Dan

     

     

    • TuukkaIlomäki
      TuukkaIlomäki
      67 Posts
      ACCEPTED ANSWER

      Re: RBD 8.5 - RUI and JSF

      ‏2013-08-29T08:07:57Z  in response to dan_darnell

      Doesn't storing user ID in a cookie pose a security risk? If my user ID is 1234, I would be tempted to tamper cookie data and change my user ID to 5678 in order to see what happens.

      • dan_darnell
        dan_darnell
        973 Posts
        ACCEPTED ANSWER

        Re: RBD 8.5 - RUI and JSF

        ‏2013-08-29T17:36:40Z  in response to TuukkaIlomäki

        The OP asked if it was possible to share the user ID ... and it is ... but you are correct in pointing out this should only be done with due caution.

        Security should always be a primary concern.

        Yes, cookies can be changed. (Although the different cookie types haves different levels of access/vulnerability.) And a savvy person could also intercept and change the user ID passed as a URL parameter.

        Some questions you have to ask...

        Is it an internal app? An external app? (Users of an internal corporate app sometimes don't pose the same risks as external users. But sometimes they do, of course. Depends on the app and other things that might be in place to secure the environment.)

        This big questions: How is the user ID used in the application? What could happen if a user figured out how to "spoof" a user ID?

        If the user ID is a critical part of, say, the authentication or authority mechanism, then whether you put it in a cookie or pass it as a URL parm you should encrypt it.

        Another technique would involve storing the information that is shared between components in a table and using a common (or shared) piece of information to reference the information. Still, if it is information that could impact security, it must be encrypted or else you've made a terrible mistake.

        --Dan

        p.s. Thanks for prompting the discussion of this crucial topic in this conversation!

         

         

        • canutri
          canutri
          348 Posts
          ACCEPTED ANSWER

          Re: RBD 8.5 - RUI and JSF

          ‏2013-08-29T18:26:06Z  in response to dan_darnell

          Would a session variable work?  Provided both RUI and JSP are in the same app context.

          Daron

          • dan_darnell
            dan_darnell
            973 Posts
            ACCEPTED ANSWER

            Re: RBD 8.5 - RUI and JSF

            ‏2013-08-29T18:29:59Z  in response to canutri

            Daron,

            I think that's the rub ... how would you get a JSF app and a RUI app into the same web container? JSP ... different story ... I've done what you are asking with JSP and RUI ... but the OP is asking about an EGL-based JSF app and a RUI app. Thoughts?

            --Dan

            • canutri
              canutri
              348 Posts
              ACCEPTED ANSWER

              Re: RBD 8.5 - RUI and JSF

              ‏2013-09-03T17:51:01Z  in response to dan_darnell

              Dan,

              Thanks for the correction - I'm not sure what I was thinking with my reply for JSP.  However, Couldn't it still be possible to deploy a RUI to a JSF project target?  It might be unconventional,but wouldn't it work?  What about making a .war file from the RUI project.  Not having done this myself, I'm more curious of the possibilities.

              Now if WebSphere is being used as the application server, then the separate projects could share session variables via Shared Session Context option from the WebSphere Extensions tab of the EAR's Deployment Descriptor.  See WebSphere InfoCenter topic: "Assembling so that session data can be shared".

              Daron

               

              • dan_darnell
                dan_darnell
                973 Posts
                ACCEPTED ANSWER

                Re: RBD 8.5 - RUI and JSF

                ‏2013-09-03T18:11:32Z  in response to canutri

                Hi Daron,

                "Couldn't it still be possible to deploy a RUI to a JSF project target?"

                Man, I don't know. Maybe that would work.

                And you're right, a WebSphere deploy with shared session context would probably do the trick. That's a really good idea.

                --Dan

  • M Groeneweg
    M Groeneweg
    80 Posts
    ACCEPTED ANSWER

    Re: RBD 8.5 - RUI and JSF

    ‏2013-08-30T06:24:44Z  in response to ENO2010

    This is probably beyond the orginal question but could still be relevant:

    If both applications would use standard J2EE security and the server allows single signon this can be achieved using a service call from the RUI application:

    1. The JSF application and deployed RUI application use form based authentication to authenticate the user. As the JSF application authenticates the user, the application will not show a logon form when continuing from the JSF to the RUI application.

    2. The RUI app calls a service to access the database and/or do business logic, that service uses j2eeLib.getRemoteUser() to get the user ID.

    3. The service might return the user ID to the RUI app, for example to display it in the browser page.

    Note that RUI is as secure as any JavaScript application, so not secure at all. Any JavaScript code can be changed at runtime using standard debugging tools available in all browsers. So the service should always determine the logged on user using the j2eeLib.getRemoteUser() rather than trusting the service input.