Finding username in a widget's context
Hi All.
I'm writing some RTC widgets for a corporate dashboard. They're basically just implanted web pages from an external server (which processes my raw data and displays a summary). I've been asked to add the ability to annotate the results on display.
Doing the actual annotation is easy enough - I can just POST the comment at the external server. But that's likely to leave many anonymous comments, which I don't want. I'd like to be able to prepend the user's name so that everyone knows who is making the comment - does anyone have a handy way to get at it? It's in the overall page, but I can't find anything in the iframe's DOM.
Is this possible?
Thanks!
Vic.
I'm writing some RTC widgets for a corporate dashboard. They're basically just implanted web pages from an external server (which processes my raw data and displays a summary). I've been asked to add the ability to annotate the results on display.
Doing the actual annotation is easy enough - I can just POST the comment at the external server. But that's likely to leave many anonymous comments, which I don't want. I'd like to be able to prepend the user's name so that everyone knows who is making the comment - does anyone have a handy way to get at it? It's in the overall page, but I can't find anything in the iframe's DOM.
Is this possible?
Thanks!
Vic.
3 answers
It depends how your widget is implemented - is it an OpenSocial gadget, External Content Widget, or Viewlet? If it's one of the first two, or if it's implemented as a simple iframe pointing to the remote server, then browser security will prevent you from reaching out and finding out who is logged into the page that contains the iframe. If you're creating the iframe yourself, then you could pass in the user id in a URL parameter for the iframe so that it can read it, but you may not have this luxury depending on how you implemented it.
The best approach is to actually authenticate with your own server, so that it knows independently of the Jazz server who you are. This is the most secure option as you wouldn't be able to circumvent this easily and inject another users id in there for the POST. The server would essentially get the user principal from the app container based on the session cookie, or whatever authentication method you use.
The best approach is to actually authenticate with your own server, so that it knows independently of the Jazz server who you are. This is the most secure option as you wouldn't be able to circumvent this easily and inject another users id in there for the POST. The server would essentially get the user principal from the app container based on the session cookie, or whatever authentication method you use.
Comments
is it an OpenSocial gadget
Yes :-(
browser security will prevent you from reaching out and finding out who is logged into the page that contains the iframeYes. I thought as much. Just wondered if some of the javascript thet RTC puts into the iframe might help - but I can't find anything in there.
The best approach is to actually authenticate with your own serverI'm not sure that's going to be great from a usability perspective though - users are already logged in, they'll be unwilling to jump through another hoop.
This is the most secure optionI'm not overly worried about that - this is a utility function; the people who will be using it could just hack at the database if they were that interested in working around it.
Ho hum...
Vic.
The following enhancement is to track the proper solution for getting the user id in a gadget:
Provide a simple way to get current user id from an OpenSocial gadget (244518)
As a temporary workaround, if you don't use lock domain support (hosting the gadget under another hostname/domain for security), then you can actually reach up and grab the user id from the parent window. Here's a quick hack you can use until the real solution comes along:
window.top.com.ibm.team.repository.web.client.session.getAuthenticatedUserId()
This should work in RTC as long as you're not using lock domain. You have to call this from the gadget itself, e.g. here's a test gadget that just prints out the user id:
<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="Test" height="300">
</ModulePrefs>
<Content type="html">
<script type="text/javascript">
alert(window.top.com.ibm.team.repository.web.client.session.getAuthenticatedUserId());
</script>
</Content>
</Module>
So if you have another iframe you're using inside there, you can tack that onto the iframe URL and read it from inside the iframe.
Provide a simple way to get current user id from an OpenSocial gadget (244518)
As a temporary workaround, if you don't use lock domain support (hosting the gadget under another hostname/domain for security), then you can actually reach up and grab the user id from the parent window. Here's a quick hack you can use until the real solution comes along:
window.top.com.ibm.team.repository.web.client.session.getAuthenticatedUserId()
This should work in RTC as long as you're not using lock domain. You have to call this from the gadget itself, e.g. here's a test gadget that just prints out the user id:
<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="Test" height="300">
</ModulePrefs>
<Content type="html">
<script type="text/javascript">
alert(window.top.com.ibm.team.repository.web.client.session.getAuthenticatedUserId());
</script>
</Content>
</Module>
So if you have another iframe you're using inside there, you can tack that onto the iframe URL and read it from inside the iframe.