[jboss-user] [JBoss Seam] - Re: Seam security example failure.

[dajevtic]

Hi, dear Seamers!
I have manged to get a Login Module working which takes Users and Passwords from an EJB3. After that I use a Session bean that takes the user principal of the Faces Context's external context and authenticates the user with the seam authenticator.

login-module.xml:
<application-policy name="simple">
  | 		<authentication>
  | 			<login-module 
  | 				code="de.livemediagroup.security.auth.MarktplatzLoginModule"
  | 				flag="required">
  | 				<module-option name="jndiEntityManagerFactory">java:/issuesEntityManagerFactory</module-option>
  | 			</login-module>
  | 		</authentication>
  | 	</application-policy>

LoginModule java file:
public class MarktplatzLoginModule extends UsernamePasswordLoginModule {
  | 
  | 	private static final Log log = LogFactory
  | 			.getLog(MarktplatzLoginModule.class);
  | 
  | 	private static final String JNDI_EM_CONFIG_KEY = "jndiEntityManagerFactory";
  | 
  | 	private UserInformation user;
  | 	
  | 	@Override
  | 	protected String getUsersPassword() throws LoginException {
  | 		try {
  | 			
  | 			InitialContext ctx = new InitialContext();
  | 			String jndiEntityManagerFactory = options.get(JNDI_EM_CONFIG_KEY)
  | 					.toString();
  | 			System.out.println(jndiEntityManagerFactory);
  | 			EntityManagerFactory factory = (EntityManagerFactory) ctx
  | 					.lookup(jndiEntityManagerFactory);
  | 			EntityManager entityManager = factory.createEntityManager();
  | 
  | 			user = (UserInformation) entityManager.createQuery(
  | 					"from UserInformation where login=:login").setParameter(
  | 					"login", getUsername()).getSingleResult();
  | 			return user.getPassword();
  | 		} catch (Exception e) {
  | 			log.error("Fehler beim ermitteln des Benutzers", e);
  | 			throw new LoginException("Fehler beim ermitteln des Benutzers: "
  | 					+ e);
  | 		}
  | 	}
  | 
  | 	@Override
  | 	protected Group[] getRoleSets() throws LoginException {
  | 		Group rolesGroup = new SimpleGroup("Roles");
  | 		ArrayList groups = new ArrayList();
  | 		groups.add(rolesGroup);
  | 		try {
  | 			Iterator<Role> roleIterator = user.getRoles().iterator();
  | 			while (roleIterator.hasNext()) {
  | 				rolesGroup.addMember(createIdentity(roleIterator.next()
  | 						.getName()));
  | 			}
  | 		} catch (Exception e) {
  | 			e.printStackTrace();
  | 		}
  | 		Group[] roleSets = new Group[groups.size()];
  | 		groups.toArray(roleSets);
  | 		return roleSets;
  | 	}
  | 
  | }
  | 

Managed seam session bean:

  | @Name("login")
  | @Stateful
  | @Scope(ScopeType.SESSION)
  | @Startup
  | public class LoginBean implements Login {
  | 
  | 	@Logger
  | 	Log log;
  | 	
  |     @In(create=true)
  |     private EntityManager entityManager;
  |     
  |     @In(create=true)
  |     private Conversation conversation;
  | 
  |     private UserInformation instance = new UserInformation();
  |     
  |     @Out(scope=ScopeType.SESSION, required=true)
  |     private UserInformation User;
  |     
  |     @Factory("User")
  |     @Begin(join=true)
  |     public void createUser() {
  |     	
  |     	System.out.println(FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName());
  |     	
  |     	String login = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
  |     	System.out.println(login + " 1 " + entityManager);
  |     	User = (UserInformation)entityManager.createQuery("from UserInformation where login=:login")
  |     		.setParameter("login", login).getSingleResult();
  |     	Authenticator.instance().authenticate(User.getLogin(), User.getPassword());
  |         Contexts.getSessionContext().set("loggedIn", true);
  |     }
  | ...
  | ...
  | ...
  | 

web.xml security:


  | 
  | 	<security-constraint>
  | 		<web-resource-collection>
  | 			<web-resource-name>simple</web-resource-name>
  | 			<url-pattern>/marktplatz/*</url-pattern>
  | 		</web-resource-collection>
  | 		<auth-constraint>
  | 			<role-name>user</role-name>
  | 		</auth-constraint>
  | 	</security-constraint>
  | 	
  | 	<login-config>
  | 		<auth-method>FORM</auth-method>
  | 		<form-login-config>
  | 			<form-login-page>/login.jsf</form-login-page>
  | 			<form-error-page>/login.jsf</form-error-page>
  | 		</form-login-config>
  | 	</login-config>
  | 
  | 	<welcome-file-list>
  | 		<welcome-file>/marktplatz/startpage.jsf</welcome-file>
  | 		<welcome-file>/index.html</welcome-file>
  | 	</welcome-file-list>
  | 
  | 
  | 

Note that /marktplatz is the secured area and there is not other area except for the login page, which resides inside the root folder of my web-app.

Now my questions:
1.)Am I assuming correctly, that a Session is only created when the user has logged in successfully or have I just coded a HUGE security leak for my webapp?
2.) I tried using a custom principal class (UserInformation implements Principal) by specifying the principalClass option for my login module and it was used throughout the login process. however in my web app I always got a SimplePrincipal object, when doing

  | FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName()
  | 

. Why was my custom principal class not propagated into the external context, but SimplePrincipal used instead?



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3979570#3979570

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3979570