[
http://jira.jboss.com/jira/browse/JBSEAM-729?page=comments#action_12403805 ]
Guillaume Jeudy commented on JBSEAM-729:
----------------------------------------
Attached are a few files showing an example on how to propagate the subject to the
container and use CallerIdentityLoginModule in conjunction with Seam.
components.xml:
<security:identity jaas-config-name="RDMRealm" />
jboss-web.xml:
<jboss-web>
<security-domain>java:/jaas/RDMRealm</security-domain>
</jboss-web>
jboss.xml (to protect the ejbs):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/RDMRealm</security-domain>
</jboss>
login-config.xml in jboss server conf/:
<application-policy name="OracleDbRealm">
<authentication>
<login-module code="org.jboss.resource.security.CallerIdentityLoginModule"
flag="required">
<module-option name="userName">defaultUser</module-option>
<module-option name="password">defaultPass</module-option>
<module-option
name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=ReferenceDataManagerDS</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name = "RDMRealm">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersLoginModule"
flag = "required">
<module-option
name="usersProperties">props/rdm-users.properties</module-option>
</login-module>
</authentication>
</application-policy>
pages.xml:
<page view-id="/ssoauth.xhtml"
action="#{ssoAuthenticator.checkLogin}" login-required="false">
<navigation from-action="#{ssoAuthenticator.checkLogin}">
<rule if-outcome="true">
<redirect view-id="/showpackages.xhtml"></redirect>
</rule>
</navigation>
</page>
<page view-id="/*" login-required="true"/>
<exception class="org.jboss.seam.security.NotLoggedInException">
<redirect view-id="/ssoauth.xhtml">
<message severity="warn">You must be authenticated to use this
application</message>
</redirect>
</exception>
<exception class="org.jboss.seam.security.AuthorizationException">
<redirect view-id="/ssoauth.xhtml">
<message severity="warn">You must be authorized to use this
application</message>
</redirect>
</exception>
ssoAuthenticator seam component:
public boolean checkLogin() {
Identity identity = Identity.instance();
// user may already be logged in - check
if (identity.isLoggedIn(false)) {
return true;
}
return authenticate();
}
public boolean authenticate() {
boolean authenticated = false;
// get the principal and password the way you
want
// in my case I retrieve the principal,password
populated by an NTLM servlet filter
Identity identity = Identity.instance();
try {
WebAuthentication webAuth = new WebAuthentication();
if (!webAuth.login(principalName, password)) {
FacesMessages.instance().add("Failed to authenticate credentials, user:#0 does
not exist or has wrong user/pass combination.", principalName);
log.error("Failed WebAuthentication.login() returned false for user: #0",
principalName);
return false;
}
// Identity must have 'fresh' credentials for authenticate()
// call to proceed
identity.setUsername(principalName);
identity.setPassword(password);
identity.authenticate();
// test
try {
Subject caller = (Subject)
PolicyContext.getContext("javax.security.auth.Subject.container");
if (caller != null) {
log.info("Subject is:" + caller);
}
} catch (PolicyContextException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// end test
// set identity roles here
authenticated = true;
} catch (LoginException e) {
log.error("Failed to authenticate", e);
FacesMessages.instance().add("Failed to authenticate, user:#0. " +
e.getMessage(), principalName);
}
}
return authenticated;
}
support container authorization in JBoss
----------------------------------------
Key: JBSEAM-729
URL:
http://jira.jboss.com/jira/browse/JBSEAM-729
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Reporter: Gavin King
Assigned To: Shane Bryzak
Fix For: 2.1.0.GA
We should use the JBoss-specific Thread->Principal binding to integrate with container
authorization. Make it extensible to support other containers in future.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira