Permissions in Lightstreamer javascript

[vielktus]

Ok, let me explain this more clearly.

I have a web and a login page. When user 1 logged in, the web will return the code below:

Code:

     <div datasource="lightstreamer" itemname="abc">
     <div datasource="lightstreamer" itemname="xyz">

<!-- Below is the javascript Lightstreamer connect (i use the one ie the helloworld example) -->
<script>
...
</script>

I only want the User 1 to see only 2 <div>s like that. But when the admin logged in, he will see all 3 divs like this:

Code:

     <div datasource="lightstreamer" itemname="abc">...</div>
     <div datasource="lightstreamer" itemname="xyz">...</div>
     <div datasource="lightstreamer" itemname="123123">...</div>
<!-- Below is the javascript Lightstreamer connect (i use the one in the helloworld example) -->
<script>
...
</script>

Of course, i use my own php authentication code. But in this situation, user1 can right click and view web's source, he will see the javascript Lightsteamer connecting code. He will copy the code to connect manually to my lightstreamer server. And what if he knows the item "123123" ? He will add a similar div and he will see the streaming data of that div. I dont want this.

Thanks for the guide authentication in section 4.1, but like you said, i wont use lightstreamer authentication.

Please show me how to handle this case.

[giuseppe.corti]

Hi vielktus,

In a case like your, some credentials information need to be passed to your Metadata Adapter.
If you wont use Lightstreamer authentication you should pass to the Metadata Adapter the user/session info generated by your authetication procedure.
In the notifyUser method you should validate that info against the Web/Application Server that generated it (or a database or whatever back-end system).

Once that the user is validated the notifyNewTables method of your Metadata Adapter should check if the user is entitle for all the Items requested and if not throw a CreditsException.

[vielktus]

Hi vielktus,

In a case like your, some credentials information need to be passed to your Metadata Adapter.
If you wont use Lightstreamer authentication you should pass to the Metadata Adapter the user/session info generated by your authetication procedure.
In the notifyUser method you should validate that info against the Web/Application Server that generated it (or a database or whatever back-end system).

Once that the user is validated the notifyNewTables method of your Metadata Adapter should check if the user is entitle for all the Items requested and if not throw a CreditsException.

Oops, sounds a little bit tough... I use .NET Adapter, PHP Authentication on my web pages. When i validate the user logged in with PHP, how can i use the method notifyUser in the Metadata Adapter ? Can you have some simple codes ?

[Mone]

Hi,

We don't have any ready-made example: basically your .NET adapter and your PHP application need to "communicate".

As an example as your PHP application validates an user, it will likely send back a session cookie to the browser to keep the session alive for a while. It will also store the cookie somewhere (e.g.: memcached, SQL server... ) for checking it on subsequent requests.

That said your client could read such cookie via javascript and use it as user password (setPassword). This way, on the metadata adapter, you'll get the cookie in the notifyUser call and you can validate it against the same storage PHP is accessing (again, memcached, SQL server...)

HTH