Re: [xwiki-users] Using HTML5 File Upload Widget for non-XWiki files

On 11/14/2014 11:24 PM, Bryn Jeffries wrote: I guess it is possible to do that, but you would have to write a component that is: - a custom XWiki authenticator http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HCustomA… to store the session id on login (and remove it at logout) - and maybe a Session listener: https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpSessionListener… to handle session timeout - finally has an API to communicate that information to the external servlet, without leaking the session-ids to other "interested" parties Somehow that does not look like a good idea to me. The alternative to fiddeling with form action is to use hidden form fields; these should be send to the target in the same way as the form action. To do this you are back in server-side template-land (instead of JavaScript), where you should be able to say something like <input type="hidden" name="userId" value="$escapetool.html($xcontext.user)" /> <input type="hidden" name="userName" value="$escapetool.html($xwiki.getUserName($xcontext.user))" /> (cobbled together with the help of http://platform.xwiki.org/xwiki/bin/view/SRD/Navigation?xpage=embed , untested ...) This data then should be send to the upload servlet. Admittedly this is not spoof-proof (anyone e.g. can use a brwoser-dev tool like firebug and edit the values before uploading the file). If you want "safe and secure" method, you might consider "container authentication" (i.e. users come from the servlet container) http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HContain… then the upload servlet has the same user as XWiki (except for "XWiki-only users, for which the widget will just not work). Oh, and if the servlet really moves to a different server ... well, maybe it works to set up a distributed user authentication like CAS. just a few thoughts as I came along, use at own risk ;)