SampleImplAccess is a service implementation that demonstrates how to store application-private content in ContentHosting, and to make these
available from the Access servlet under the application's control. This code would usually be found in a service implementation of the
application's service API. In this example, there is no API, but there is still an implementation. For a real application, we would add the API
implementation code to this code.
The content is stored in ContentHosting's "private" space (/private/...), in a folder named for this application. The name choosen for example this
is "sampleAccess". In our init() method, we make sure that this space exists. Note the use of a SecurityAdvisor there to assure that the
ContentHostingService calls pass security.
A SecurityAdvisor is code you provide, related only to processing of the current request (i.e. code running on the current thread). When there is a
security advisor, any normal security calls are first sent to the advisor code. That code can allow the access, deny the access, or say nothing
about the access, passing the decision on to any other SecurityAdvisors in a stack, or to the normal security processing code.
You use a security advisor when you can establish that some operation should be allowed to happen, but you are going to collaborate with some other
service to make the action happen, and the other service might not know that it is ok to perform the calls you are about to make. The natural
security it would invoke might not be proper for your application. So you place a security advisor on the stack and take over security for the
duration of your request processing.
In a normal application, the end-user's HTTP interaction would result in content to save in the application's ContentHosting area, either from form
fields or from a file upload. Once the body bytes are created, the application would save these in some named and located file in ContentHosting.
We emulate this and show how to do it in the init() method, creating our one hosted item.
In a normal application, the HTML sent to the end-user would include URL references to the files in our private ContentHosting space. These might
be IMG tags (to embed images), or FRAME or IFRAME addresses, or anything else HTML allows. We ask the ContentResources for their URLs so we can
form our HTML responses.
When the request comes back from the browser to the URL of our ContentHosting items, the Access servlet fields the request. We register as a
EntityProducer in our init() method so that Access will allow us to handle the heart of these requests.
Note that we also declare our implementation class as implementing EntityProducer, which is needed to register. This is best done in the
implementation class instead of the API, since nobody using your API services really need to know you are an EntityProducer.
The way that we know that the URL is for us to handle is because we set the ContentResource to have a URL prefix, our own special one, that we
recognize. While an application can use any form of URL after this it wants, it is convienent to just prefix the ContentHosting's natural Access
URL with our special code, leaving the rest as a ContentHosting entity reference. We do that in this example.
The key thing we are responsible for is determining if the access is allowed. The natural security set on our private area in ContentHosting
assures that nobody has any access at all to the items there. If we decide to grant access, we setup a security advisor so that ContentHosting's
security check is satisfied.
The most common way to check security is to encode the context id into the URL, and into the ContentHosting collection structure of your private
content area. Then you can access the context directly from the URL and do a security check. This is what we do in this example.
An alternate way to handle security is to store meta-data about each item in your application database. Then you need to encode enough information
in the URL to read the item's meta-data. From the meta-data, you can get the ContentHosting reference and security information. We do not show this
in this example.
If you deploy this sample, you will have a working Access servlet / ContentHosting using application that serves up a single file to anyone
authorized to see it. You can test this by entering this URL:
- http:///access/sampleAccess/content/private/sampleAccess/mercury/test.txt
Note that there are some methods needed for EntityProducer that we don't use here. The Entity Bus will be later enhanced to make this a cleaner
process.
The key methods are: parseEntityReference...
|