[jboss-user] [JBoss Seam] - Where to invoke implicit login for custom SSO?

stu2 do-not-reply at jboss.com
Thu Nov 15 01:59:57 EST 2007


I'm implementing simple custom SSO, and am struggling to find the correct place to perform an implicit login when the user first hits the application.

I had thought that a filter would be the natural place for this, and have a SsoFilter created and registered with SeamFilter.  This works as I expected it to, BUT the call to identity.login() fails because there's no application scope active - the filter executes before the lifecycle sets up the context for the request (I think).

Here's what I see:

java.lang.IllegalStateException: No active application scope
  |         at org.jboss.seam.security.Configuration.instance(Configuration.java:71)
  |         at org.jboss.seam.security.Identity.getLoginContext(Identity.java:412)
  |         at org.jboss.seam.security.Identity.authenticate(Identity.java:324)
  |         at org.jboss.seam.security.Identity.login(Identity.java:237)
  |         at weblock.servlet.SsoFilter.doFilter(SsoFilter.java:78)
  |         at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

Here's what I'm basically doing in my filter:

    	// taken from AuthenticationFilter from seam source.  
  |         Identity identity = (Identity) request.getSession().getAttribute( Seam.getComponentName(Identity.class) );
  | 
  |         identity.setUsername(value-gotten-from-sso-token);
  |         // for our requirements we don't actually need  password, and
  |         // authenticate is written accordingly
  | 
  |         // this is what blows up!
  |         String loginResult = identity.login();

Argh!  Is a filter the wrong place to do this sort of thing in Seam?  We're developing against jboss, deploying into weblogic, so container integration isn't an option.  The JSF lifecycle hooks seam uses via SeamListener look promising (session binding) but it doesn't look intended to be extensible, and I don't think the contexts are initialized there either.  We don't want any sort of login page - this behaviour should all be transparent to the users.

Am I missing something obvious?

Any help would be greatly appreciated.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4104848#4104848

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4104848



More information about the jboss-user mailing list