[JBoss Seam] - Re: Seam security example failure.
by dajevtic
Almost forgot the login page :-)
|
| <s:form method="POST" action="j_security_check">
| <h:panelGrid columns="2"
| >
|
| <f:facet name="header">
| <h:panelGroup>
| <h:outputText value="Login" />
| </h:panelGroup>
| </f:facet>
|
|
| <h:outputLabel value="Benutzername:" for="username" />
| <t:inputText forceId="true" id="j_username" />
|
| <h:outputLabel value="Passwort:" for="password" />
| <t:inputSecret forceId="true" id="j_password" />
|
|
| <f:facet name="footer">
| <h:panelGroup>
|
| <h:commandButton type="submit" value="Anmelden" />
|
| </h:panelGroup>
| </f:facet>
|
| </h:panelGrid>
| </s:form>
|
|
I use my-faces 1.1.5-snapshot but a simple html or jsp login page will do just as well.
P.S. please excuse the System.out.println and german text's in my code: QUICK AND DIRTY allnighter ;-)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3979573#3979573
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3979573
19 years, 8 months
[JBoss Seam] - Re: Seam security example failure.
by dajevtic
Hi, dear Seamers!
I have manged to get a Login Module working which takes Users and Passwords from an EJB3. After that I use a Session bean that takes the user principal of the Faces Context's external context and authenticates the user with the seam authenticator.
login-module.xml:
<application-policy name="simple">
| <authentication>
| <login-module
| code="de.livemediagroup.security.auth.MarktplatzLoginModule"
| flag="required">
| <module-option name="jndiEntityManagerFactory">java:/issuesEntityManagerFactory</module-option>
| </login-module>
| </authentication>
| </application-policy>
LoginModule java file:
public class MarktplatzLoginModule extends UsernamePasswordLoginModule {
|
| private static final Log log = LogFactory
| .getLog(MarktplatzLoginModule.class);
|
| private static final String JNDI_EM_CONFIG_KEY = "jndiEntityManagerFactory";
|
| private UserInformation user;
|
| @Override
| protected String getUsersPassword() throws LoginException {
| try {
|
| InitialContext ctx = new InitialContext();
| String jndiEntityManagerFactory = options.get(JNDI_EM_CONFIG_KEY)
| .toString();
| System.out.println(jndiEntityManagerFactory);
| EntityManagerFactory factory = (EntityManagerFactory) ctx
| .lookup(jndiEntityManagerFactory);
| EntityManager entityManager = factory.createEntityManager();
|
| user = (UserInformation) entityManager.createQuery(
| "from UserInformation where login=:login").setParameter(
| "login", getUsername()).getSingleResult();
| return user.getPassword();
| } catch (Exception e) {
| log.error("Fehler beim ermitteln des Benutzers", e);
| throw new LoginException("Fehler beim ermitteln des Benutzers: "
| + e);
| }
| }
|
| @Override
| protected Group[] getRoleSets() throws LoginException {
| Group rolesGroup = new SimpleGroup("Roles");
| ArrayList groups = new ArrayList();
| groups.add(rolesGroup);
| try {
| Iterator<Role> roleIterator = user.getRoles().iterator();
| while (roleIterator.hasNext()) {
| rolesGroup.addMember(createIdentity(roleIterator.next()
| .getName()));
| }
| } catch (Exception e) {
| e.printStackTrace();
| }
| Group[] roleSets = new Group[groups.size()];
| groups.toArray(roleSets);
| return roleSets;
| }
|
| }
|
Managed seam session bean:
| @Name("login")
| @Stateful
| @Scope(ScopeType.SESSION)
| @Startup
| public class LoginBean implements Login {
|
| @Logger
| Log log;
|
| @In(create=true)
| private EntityManager entityManager;
|
| @In(create=true)
| private Conversation conversation;
|
| private UserInformation instance = new UserInformation();
|
| @Out(scope=ScopeType.SESSION, required=true)
| private UserInformation User;
|
| @Factory("User")
| @Begin(join=true)
| public void createUser() {
|
| System.out.println(FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName());
|
| String login = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
| System.out.println(login + " 1 " + entityManager);
| User = (UserInformation)entityManager.createQuery("from UserInformation where login=:login")
| .setParameter("login", login).getSingleResult();
| Authenticator.instance().authenticate(User.getLogin(), User.getPassword());
| Contexts.getSessionContext().set("loggedIn", true);
| }
| ...
| ...
| ...
|
web.xml security:
|
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>simple</web-resource-name>
| <url-pattern>/marktplatz/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>user</role-name>
| </auth-constraint>
| </security-constraint>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <form-login-config>
| <form-login-page>/login.jsf</form-login-page>
| <form-error-page>/login.jsf</form-error-page>
| </form-login-config>
| </login-config>
|
| <welcome-file-list>
| <welcome-file>/marktplatz/startpage.jsf</welcome-file>
| <welcome-file>/index.html</welcome-file>
| </welcome-file-list>
|
|
|
Note that /marktplatz is the secured area and there is not other area except for the login page, which resides inside the root folder of my web-app.
Now my questions:
1.)Am I assuming correctly, that a Session is only created when the user has logged in successfully or have I just coded a HUGE security leak for my webapp?
2.) I tried using a custom principal class (UserInformation implements Principal) by specifying the principalClass option for my login module and it was used throughout the login process. however in my web app I always got a SimplePrincipal object, when doing
| FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName()
|
. Why was my custom principal class not propagated into the external context, but SimplePrincipal used instead?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3979570#3979570
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3979570
19 years, 8 months
[EJB 3.0] - Re: Sharing EJB3 classes in a .jar creates
by niclas.lindberg
Hi Al! Thanks again... unfortunally same error.
I moved persistence.xml into subsystem-shared.jar and registered it in application.xml as and removed persisitence.xml from accountsystem.jar.
Same Exception "Unknown Entity".
It simply doesn't seem to work if the EJB3 entities AND the persistence.xml AND the EntityManager(UnitName=xxx) is not defined in the same .jar.
Can it really be like that??
I think it would be great if you could reuse the same entities and persist them through different PersistenceContexts anywhere in the system...
My wish is simple...
I want each subsystem to be as independent as possible. In case of dependency I want to put all dependent classes in a shared.jar for each subsystem.jar to reference to to not get any classloading problems. (Classic approach)
Basiucally the dependent classes are: SessionBean interfaces, Exceptions and DataObjects. The dataobjects are Ejb3 entities.
How do I package it to work?
My idea is that each subsystem put different aspects on the data.... So if I create one dataaccess subsystem and have all entity access go through there and define the whole domainmodel in that .jar I't becomes a mess when the system evolves...
I would like each subsystem to handle its own datamodel with some systemwide dataclassess(Basically PKs with some systemwide attributes) available..
Thanks thanks thanks for your involvement so far!!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3979569#3979569
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3979569
19 years, 8 months