Creating a secure Liferay Servlet - java

I'd like to develop a servlet whichs works as a datalayer between a porlet written in JavaScript (ExtJS) and a database.
Thus I downloaded Eclipse JavaEE and created a sample servlet project. I also successfully deployed a servlet which receives a http-get-request, calls the DB and outputs the result.
But everyone who nows the servlet-uri can call it and sees the result. Thats where it gets tricky - how do I secure my servlet so that only a authenticated/logged in user can call my servlet or how can my servlet check wether the requester is a valid user?
There is a similar question about that Topic but I'm not sure if this is about the same problem: How to create a top-level servlet in liferay
Unfortunately I have no clue how to get the liferay-libraries (e.g. PortalUtil) into my servlet-project. How do I do this step by step?
Is this concept even a good way to secure the datalayer or are there better options?
Any help is appreciated!

Related

Jersey 2.5: How can a resource access external classes instances

I have embedded Jetty container inside my main server and I also use Jersey 2.5 for handling REST resources.
everything seems to work well and now I would like to pass my server's context class into each of my REST resources.
I'm having hard time understanding how to do that...
If someone can provide full code example - it could be awesome!
Many thanks
What exactly do you mean when you say you have a Jetty container inside your "main server"? Are you programmatically executing Jetty within the application? Also, when you say "context" are you referring to the ServletContext?

Read jsp page output from my application

I would like to read jsp page from my application and save it to a file - it's output, not the code itself. Plus, my application has basic authentication (username+password).
If it was a Servlet, I could just access it's doGet method.
One solution I've found is this - Open URL connection, provide authentication details and read the stream.
I'm wondering if there's another option, maybe accessing the generated Servlet in the web container and then using reflection to call the class doGet.
You can precompile the JSP and then call the servlet (you don't have to use reflection even).
If you try to call the JSP's servlet without precompiling then it might not exit yet (because usually the server only compiles the JSP after it was called for the first time).
To precompile the JSP, check your web server documentation.
Personally I think you're better of using URL connection. Precompiling JSPs is not portable (as in you need to do it in a different way for each web server).
Edit
You can also use RequestDispatcher.include() method with a wrapped response object as described in this answer.

Is there any attribute or option available in weblogic to restrict number of servlets?

I'm working on java project, which is using weblogic 10 as an application server. In this project there are around 11 servlets added in web.xml descriptor with url mapping. Whenever i'm adding new servlet, its not getting mapped to the url as wel as not getting invoked. What may be the problem. As, if I add the same logic in any of the existing servlet, its working fine.
Thanks in advance.
How is the question in the title of your post going to help you solve this problem?
Maybe you have another servlet that maps to the same URL pattern, or you have ambiguous URL patterns for your new servlet and already existing servlets (so that WebLogic doesn't know which one to call). Check the servlet mappings in your web.xml file.
Check the WebLogic management console to see if your servlet is deployed successfully, and check the logs of WebLogic for any deployment errors. Carefully read the error messages to find out what's wrong. If you don't understand them, add them to your post above, so that someone here can explain you what they mean.
If you go to an URL that's supposed to map to your servlet, then what do you get? An error message, or is it going to another servlet? If it's an error, then again, post the error message.

What will tomcat do after I type the root link of a spring application?

Let's say I have an application written with spring framework, and I want to know, when I typed in :
http://localhost:8080/test
link, what tomcat will do to generate response for this request ?
Should it have to pass all filters first, then ????
And after I typed in the url, it always be directed to another link like http://localhost:8080/test/login, where was this redirection implemented ?
If it is hard to explain to me, then please recommend me a book for that, thanks very much !
what tomcat will do to generate response for this request ?
Tomcat will typically send the the request to the relevant DispatcherServlet instance, as configured in your "web.xml" file. This is described in the Spring documentation.
Should it have to pass all filters first, then ????
Yes. Filters are applied before (and after) requests are passed to the Servlet.
And after I typed in the url, it always be directed to another link like http://localhost:8080/test/login, where was this redirection implemented ?
That depends on how you have implemented security. It could be done at the Tomcat level (I think), using SpringSecurity, or hard-wired logic in your Spring MVC controller, or in a plain (non-Spring) Servlet, Filter or (Tomcat specific) Valve.
If you are looking for advice on the best way to implement login / security, I'd recommend using SpringSecurity. SpringSecurity works using Filters.
If it is hard to explain to me, then please recommend me a book for that, thanks very much !
The online Spring and SpringSecurity documentation is as good a place as any. This documentation tends not to spell out exactly how requests get processed in the context of a particular web container, but you should be able to figure the details from the Tomcat docs and the Servlet specification.
If there's a controller that's mapped to that URL, the Spring DispatcherServlet will send the request to it for handling.
If the controller determines that the next view ought to be the one that corresponds to /test/login, then it'll specify so when it sets the ModelAndView.

What causes duplicate requests to occur using spring,tomcat and hibernate

I'm working on a project in Java using the spring framework, hibernate and tomcat.
Background:
I have a form page which takes data, validates, processes it and ultimately persists the data using hibernate. In processing the data I do some special command (model)
manipulation prior to persisting using hibernate.
Problem:
For some reason my onSubmit method is being called twice, the first time through things
are processed properly. However the second time through they are not; and the incorrect
information is being persisted.
I've also noticed that on other pages which are simply pulling information from the data
base and displaying on screen; Double requests are happening there too.
Is there something misconfigured, am I not using spring properly..any help on this would
be great!
Additional Information:
The app is still being developed. In testing the app I'm running into this problem. I'm using the app as I would expect it to be used (single clicks,valid data,etc...)
If you are testing in IE, make note that in some versions of IE it sometimes submits two requests. What browsers are you testing the app in?
There is the javascript issue, if an on click handler is associated with submit button and calls submit() and does not return false to cancel the event bubble.
Could be as simple as users clicking on a link twice, re-submitting a form while the server is still processing the first request, or hitting refresh on a POST-ed page.
Are you doing anything on the server side to account for duplicate requests such as these from your users?
This is a very common problem faced by someone who is starting off. And not very sure about the application eco-system.
To deploy a spring app, we build the war file.
Then we put it inside 'webapps' folder of tomcat.
Then we run the tomcat instance using terminal (I am presuming a linux system).
Now, we set up env in that terminal.
The problem arises when we set up our environment for the spring application where there can be more than one war files to be deployed.
Then we must cater to the fact that the env must be exclusive to a specific war file.
To achieve this, what we can do is create exclusive env files for every war. (e.g. war_1.sh,war_2.sh,.....,war_n.sh) and so on.
Now we can source that particular env file for which we have to deploy its corresponding war. This way we can segregate the multiple wars (applications) and their environment.

Categories