[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-967) JBoss Seam - Support authentication from a realm (on Tomcat)

Friday, 19 October 2007

    [ http://jira.jboss.com/jira/browse/JBSEAM-967?page=comments#action_12383424 ] 

Bradley Smith commented on JBSEAM-967:
--------------------------------------

Pete,

I have to disagree with how you distinguish between Identity and authorization:

"As above, identity and authenticator are for authorization and authentication
separately."

Indeed, Identity maintains the state regarding an authenticated user's roles, but the
intent of an authenticator is to create the authentication AND authorization state of the
identity instance for a user.  See the seam documentation the example authenticator given
shows us:

   public boolean authenticate() {
      try
      {
         User user = (User) entityManager.createQuery(
            "from User where username = :username and password = :password")
            .setParameter("username", Identity.instance().getUsername())
            .setParameter("password", Identity.instance().getPassword())
            .getSingleResult();

         if (user.getRoles() != null)
         {
            for (UserRole mr : user.getRoles())
               Identity.instance().addRole(mr.getName());
         }

         return true;
      }
      catch (NoResultException ex)
      {
         FacesMessages.instance().add("Invalid username/password");
         return false;
      }

   }

which clearly is doing two things - returning true or false (which identity will use to
set state regarding authentication status) - and populating the roles stored by the
identity instance.  So from my perspective, Identity is a Seam framework construct which
maintains authentication/authorization state;  an authenticator is means for obtaining
this state.

...
 JBoss Seam - Support authentication from a realm (on Tomcat)
 ------------------------------------------------------------

                 Key: JBSEAM-967
                 URL: http://jira.jboss.com/jira/browse/JBSEAM-967
             Project: JBoss Seam
          Issue Type: Feature Request
          Components: Security
            Reporter: Bradley Smith
         Assigned To: Shane Bryzak

 Please see discussion in the JBoss forum reference.
 The idea is to allow the Seam Identity (security) component to get the Principal from the
HttpServletRequest and to delegate the hasRole() calls to the HttpServletRequest as well. 
This is because, in my case, Tomcat has already forced the user to authenticate if
necessary and the authentication, authorization information is available in the
container's HttpServletRequest impl.
 Principal userPrincipal = httpServletRequest.getUserPrincipal();
 boolean hasRole(String roleName) {
   return httpServletRequest.isUserInRole(roleName);
 }
 public String getUsername() {
    return httpServletRequest.getRemoteUser();
 }
 public boolean isLoggedIn() {
   return httpServletRequest.getUserPrincipal() != null;
 } 
-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-967) JBoss Seam - Support authentication from a realm (on Tomcat)