[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-967) JBoss Seam - Support authentication from a realm (on Tomcat)
Bradley Smith (JIRA)
jira-events at lists.jboss.org
Fri Oct 19 08:46:03 EDT 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-967?page=comments#action_12383424 ]
Bradley Smith commented on JBSEAM-967:
--------------------------------------
Pete,
I have to disagree with how you distinguish between Identity and authorization:
"As above, identity and authenticator are for authorization and authentication separately."
Indeed, Identity maintains the state regarding an authenticated user's roles, but the intent of an authenticator is to create the authentication AND authorization state of the identity instance for a user. See the seam documentation the example authenticator given shows us:
public boolean authenticate() {
try
{
User user = (User) entityManager.createQuery(
"from User where username = :username and password = :password")
.setParameter("username", Identity.instance().getUsername())
.setParameter("password", Identity.instance().getPassword())
.getSingleResult();
if (user.getRoles() != null)
{
for (UserRole mr : user.getRoles())
Identity.instance().addRole(mr.getName());
}
return true;
}
catch (NoResultException ex)
{
FacesMessages.instance().add("Invalid username/password");
return false;
}
}
which clearly is doing two things - returning true or false (which identity will use to set state regarding authentication status) - and populating the roles stored by the identity instance. So from my perspective, Identity is a Seam framework construct which maintains authentication/authorization state; an authenticator is means for obtaining this state.
> JBoss Seam - Support authentication from a realm (on Tomcat)
> ------------------------------------------------------------
>
> Key: JBSEAM-967
> URL: http://jira.jboss.com/jira/browse/JBSEAM-967
> Project: JBoss Seam
> Issue Type: Feature Request
> Components: Security
> Reporter: Bradley Smith
> Assigned To: Shane Bryzak
>
> Please see discussion in the JBoss forum reference.
> The idea is to allow the Seam Identity (security) component to get the Principal from the HttpServletRequest and to delegate the hasRole() calls to the HttpServletRequest as well. This is because, in my case, Tomcat has already forced the user to authenticate if necessary and the authentication, authorization information is available in the container's HttpServletRequest impl.
> Principal userPrincipal = httpServletRequest.getUserPrincipal();
> boolean hasRole(String roleName) {
> return httpServletRequest.isUserInRole(roleName);
> }
> public String getUsername() {
> return httpServletRequest.getRemoteUser();
> }
> public boolean isLoggedIn() {
> return httpServletRequest.getUserPrincipal() != null;
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list