Securing DWR

Community Engine provides security functionality so that it is possible to use the security publication resource to secure the DWR calls.

To secure an DWR AJAX call an ajax element needs to be used instead of action element. This ajax element must have a pattern attribute which corresponds to what you find on the operation overview on the /dwr/ servlet page.

Similar to the action element, the ajax element accepts the parameters user and author and may contain permission elements. Here is an example on how to use the ajax element. 

<ajax pattern="TagPluginAjax.addTag" user="true">
  <permission>rate</permission>
</ajax>

One difference between checking HTTP requests and DWR calls is that for DWR calls, the security module uses AJAX's method arguments instead of the request parameters.

Copyright © 2009-2012 Escenic