Re: [Bodington-developers] Plugin interface

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Alistair Young wrote:

> That's interesting Jon. I take you mean http://www.clan.uhi.ac.uk/ 
> mymodules

No, I'd suggest a Servlet made specifically for including HTML into 
another servlet's output.

> Can you provide an exmaple of how a template would do  
> RequestDispatcher.include() ?

No, but I'm sure minimal alteration to the Template code would be needed.

> if it can't then I'd argue not to bother implementing it as we're  
> back to the same thing. The plugin is neither a facility nor a servlet.

It is a servlet in the sense that it is invoked, gets information from a 
request object and outputs HTML via a response object. The only unusual 
feature is that it never outputs a whole page of HTML and is only used 
to insert output in the output of another servlet.

> However, the plugin can't be accessed outwith it's context - it means  
> nothing until it's invoked by a template and it can get access to  
> current user environment.

It _does_ have context. The request object provides the link to the user 
environment - since it is the request object built by the Bodington 
system. Also, the BuldingContext is available since it is stored against 
the thread ID and the thread that calls your *servlet* is the same 
thread that called the template.

> My only concern is exposing functionality to the world - that's a lot  
> of security updates to maintain as every plugin is accessible via  
> it's servlet. Each parallel servlet will have access to the bod  
> environment but the difference will be they're publicly accessible  
> and attackable. A plugin isn't.

The servlet does _not_ need to be exposed on its own URL. The servlet 
knows if it is being called directly or via an include and can refuse to 
deliver content. It can even tell if the include is coming from 
Bodington or from another servlet.

> I don't think you can get a "private" servlet but I haven't looked  
> into it enough.

Yes you can! If you 'include' a servlet only the security constraints of 
the URL that was originally accessed apply. So, you simply put your 
servlet in the web app with a 'noone can access ever' constraint.

> I'm resisting labelling it anything other than a plugin - coz that's  
> what it is.

A rose would smell as sweet....

Jon

P.S.  IT'S A SERVLET!