Securing DWR
Community Engine provides security functionality so that it is possible to use the security
publication resource to secure the DWR calls.
To secure an DWR AJAX call an ajax
element needs to be used instead of
action
element.
This ajax
element must have a pattern
attribute which corresponds
to what you find on the operation overview on the /dwr/
servlet page.
Similar to the action
element, the ajax
element accepts the parameters
user
and author
and may contain permission
elements.
Here is an example on how to use the ajax
element.
<ajax pattern="TagPluginAjax.addTag" user="true"> <permission>rate</permission> </ajax>
One difference between checking HTTP requests and DWR calls is that for DWR calls, the security module uses AJAX's method arguments instead of the request parameters.