Re: Access JWT Soffit data model within Spring Mvc Controller not JSP.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Access JWT Soffit data model within Spring Mvc Controller not JSP.

Drew Wills

Leigh,

I think you'll be able to do what you need, but it would help if you tell me a little bit about how you plan for your "Spring MVC controller" to respond to the HTTP request from the portal server.

Some relevant (afaik) points to the discussion:

  - (1) In soffits, the remote component responds to the portal with an HTML fragment that gets incorporated into the portal page response.

  - (2) In Java-based soffits, normally that HTML is produced by rendering a JSP.

Is #1 accurate in your case?  (If not, you are definitely in uncharted waters.  I'm not saying we can't possibly go there... but I want to understand how much new stuff we're making up.)

If #1 is accurate, is #2 as well?  (If not, then why not?  There's not much reason _not_ to use a JSP, if only a very static one.)

If #1 and #2 are both accurate, then I know exactly what to suggest:  use the @SoffitModelAttribute annotation.

  - https://jasig.github.io/uPortal/developer/soffits/soffit_data_model.html#the-soffitmodelattribute-annotation

Create a new class and make it a Bean.  Annotate one or more methods with @SoffitModelAttribute.  Those methods can declare that they need the Bearer object.  If they do, they will receive it.

If it matters, the object returned by these methods will be available to the JSP when it renders.

drew

On 1/22/19 8:03 AM, [hidden email] wrote:
Hi,

I can't figure out how to access the bearer object within the Spring Mvc controller. I can easily do it within a JSP. Is it possible to do this within Spring Mvc?

The documentation states how access via JSP and extend it but there does not seem to be instructions on how to directly access the object. I'm no Java expert, its highly possible that I am doing something silly here. 

I'm building an email Soffit which allows you to see you email based on an id attribute stored bearer object. I don't want to send that id value to the service from the frontend as this could be easily exploited. I just want the service to only ever show the logged in user emails.

Cheers,
Leigh
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.
Reply | Threaded
Open this post in threaded view
|

Re: Access JWT Soffit data model within Spring Mvc Controller not JSP.

lgordon
Hi Drew,

I don't think what we are doing could be classified as being in uncharted waters. We are serving our JS assets via the view.jsp. Along with that we are also hosting Restful services through the soffit. 

So our view.jsp looks like this (don't worry about the syntax, its essentially loading a react library)

<div class="soffit_id"></div>

   
<script src="/soffit_path/public/js/js/1f8f51b2449d5afeb5e1.main.js"></script>


<script>
   
"use strict";
   
(function(myedComponent, scriptTags){
     
var scriptTag = scriptTags[scriptTags.length - 1];
     
var parentTag = scriptTag.parentNode;
     
var childTag = parentTag.getElementsByClassName('soffit_id')[0];
      myedComponent
.render(childTag, "view");
   
})(window['component_myed_component'], document.getElementsByTagName('script'));
</script>

When the spa loads it calls a restful service to get the emails

@Controller
public class RestController {

   
@Autowired
    Office365ExchangeService exchangeService;
   
   
protected final Log logger = LogFactory.getLog(RestController.class);

   
@RequestMapping(value = "/api/email", method = RequestMethod.GET, produces = "application/json")
   
@ResponseBody
    public EmailEntityResponseWrapper getEmails(HttpServletRequest request, HttpServletResponse response) throws Exception {

       
final HttpSession session = request.getSession();
       
String uid = (String) session.getAttribute("uid");
       
EmailEntityResponseWrapper json = exchangeService.getUnreadEmails(uid);

        response
.setStatus(HttpServletResponse.SC_OK);
        response
.setHeader("Cache-Control", "must-revalidate");

       
return json;
   
}
}


In the method above we pull the uid from the session which we could do in a portlet but that is not possible in a soffit running independently from the uPortal server. Hence why we need to pull it from JWT bearer.

I've tried what you suggested already by declaring a bean with the @Component @SoffitModelAttribute. I then I auto-wired it into the controller but the bearer value was null. My assumption is its because it needs to be pulled into a JSP page before it is populated? If you are stating that should work ill keep hammering at it, it could just be bad syntax on my part.     

If we pull the id from the JSP then the restful service will need it to be passed as an argument. This will make it vulnerable to exploitation because you can essentially view anyone's emails.  

Cheers,
Leigh

On Tuesday, January 22, 2019 at 4:23:47 PM UTC, awills wrote:

Leigh,

I think you'll be able to do what you need, but it would help if you tell me a little bit about how you plan for your "Spring MVC controller" to respond to the HTTP request from the portal server.

Some relevant (afaik) points to the discussion:

  - (1) In soffits, the remote component responds to the portal with an HTML fragment that gets incorporated into the portal page response.

  - (2) In Java-based soffits, normally that HTML is produced by rendering a JSP.

Is #1 accurate in your case?  (If not, you are definitely in uncharted waters.  I'm not saying we can't possibly go there... but I want to understand how much new stuff we're making up.)

If #1 is accurate, is #2 as well?  (If not, then why not?  There's not much reason _not_ to use a JSP, if only a very static one.)

If #1 and #2 are both accurate, then I know exactly what to suggest:  use the @SoffitModelAttribute annotation.

  - <a href="https://jasig.github.io/uPortal/developer/soffits/soffit_data_model.html#the-soffitmodelattribute-annotation" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjasig.github.io%2FuPortal%2Fdeveloper%2Fsoffits%2Fsoffit_data_model.html%23the-soffitmodelattribute-annotation\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH9EJVERUeJ94_5v_trNsOO9XpZLw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fjasig.github.io%2FuPortal%2Fdeveloper%2Fsoffits%2Fsoffit_data_model.html%23the-soffitmodelattribute-annotation\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH9EJVERUeJ94_5v_trNsOO9XpZLw&#39;;return true;">https://jasig.github.io/uPortal/developer/soffits/soffit_data_model.html#the-soffitmodelattribute-annotation

Create a new class and make it a Bean.  Annotate one or more methods with @SoffitModelAttribute.  Those methods can declare that they need the Bearer object.  If they do, they will receive it.

If it matters, the object returned by these methods will be available to the JSP when it renders.

drew

On 1/22/19 8:03 AM, <a href="javascript:" target="_blank" gdf-obfuscated-mailto="aL9v-JSiGwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">lgo...@... wrote:
Hi,

I can't figure out how to access the bearer object within the Spring Mvc controller. I can easily do it within a JSP. Is it possible to do this within Spring Mvc?

The documentation states how access via JSP and extend it but there does not seem to be instructions on how to directly access the object. I'm no Java expert, its highly possible that I am doing something silly here. 

I'm building an email Soffit which allows you to see you email based on an id attribute stored bearer object. I don't want to send that id value to the service from the frontend as this could be easily exploited. I just want the service to only ever show the logged in user emails.

Cheers,
Leigh
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="aL9v-JSiGwAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uportal-dev...@apereo.org.
Visit this group at <a href="https://groups.google.com/a/apereo.org/group/uportal-dev/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/a/apereo.org/group/uportal-dev/&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/a/apereo.org/group/uportal-dev/&#39;;return true;">https://groups.google.com/a/apereo.org/group/uportal-dev/.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-dev/.