[jboss-user] [JBoss Seam] - Re: Seam security example failure.
dajevtic
do-not-reply at jboss.com
Fri Oct 20 03:40:01 EDT 2006
Hi, dear Seamers!
I have manged to get a Login Module working which takes Users and Passwords from an EJB3. After that I use a Session bean that takes the user principal of the Faces Context's external context and authenticates the user with the seam authenticator.
login-module.xml:
<application-policy name="simple">
| <authentication>
| <login-module
| code="de.livemediagroup.security.auth.MarktplatzLoginModule"
| flag="required">
| <module-option name="jndiEntityManagerFactory">java:/issuesEntityManagerFactory</module-option>
| </login-module>
| </authentication>
| </application-policy>
LoginModule java file:
public class MarktplatzLoginModule extends UsernamePasswordLoginModule {
|
| private static final Log log = LogFactory
| .getLog(MarktplatzLoginModule.class);
|
| private static final String JNDI_EM_CONFIG_KEY = "jndiEntityManagerFactory";
|
| private UserInformation user;
|
| @Override
| protected String getUsersPassword() throws LoginException {
| try {
|
| InitialContext ctx = new InitialContext();
| String jndiEntityManagerFactory = options.get(JNDI_EM_CONFIG_KEY)
| .toString();
| System.out.println(jndiEntityManagerFactory);
| EntityManagerFactory factory = (EntityManagerFactory) ctx
| .lookup(jndiEntityManagerFactory);
| EntityManager entityManager = factory.createEntityManager();
|
| user = (UserInformation) entityManager.createQuery(
| "from UserInformation where login=:login").setParameter(
| "login", getUsername()).getSingleResult();
| return user.getPassword();
| } catch (Exception e) {
| log.error("Fehler beim ermitteln des Benutzers", e);
| throw new LoginException("Fehler beim ermitteln des Benutzers: "
| + e);
| }
| }
|
| @Override
| protected Group[] getRoleSets() throws LoginException {
| Group rolesGroup = new SimpleGroup("Roles");
| ArrayList groups = new ArrayList();
| groups.add(rolesGroup);
| try {
| Iterator<Role> roleIterator = user.getRoles().iterator();
| while (roleIterator.hasNext()) {
| rolesGroup.addMember(createIdentity(roleIterator.next()
| .getName()));
| }
| } catch (Exception e) {
| e.printStackTrace();
| }
| Group[] roleSets = new Group[groups.size()];
| groups.toArray(roleSets);
| return roleSets;
| }
|
| }
|
Managed seam session bean:
| @Name("login")
| @Stateful
| @Scope(ScopeType.SESSION)
| @Startup
| public class LoginBean implements Login {
|
| @Logger
| Log log;
|
| @In(create=true)
| private EntityManager entityManager;
|
| @In(create=true)
| private Conversation conversation;
|
| private UserInformation instance = new UserInformation();
|
| @Out(scope=ScopeType.SESSION, required=true)
| private UserInformation User;
|
| @Factory("User")
| @Begin(join=true)
| public void createUser() {
|
| System.out.println(FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName());
|
| String login = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
| System.out.println(login + " 1 " + entityManager);
| User = (UserInformation)entityManager.createQuery("from UserInformation where login=:login")
| .setParameter("login", login).getSingleResult();
| Authenticator.instance().authenticate(User.getLogin(), User.getPassword());
| Contexts.getSessionContext().set("loggedIn", true);
| }
| ...
| ...
| ...
|
web.xml security:
|
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>simple</web-resource-name>
| <url-pattern>/marktplatz/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>user</role-name>
| </auth-constraint>
| </security-constraint>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <form-login-config>
| <form-login-page>/login.jsf</form-login-page>
| <form-error-page>/login.jsf</form-error-page>
| </form-login-config>
| </login-config>
|
| <welcome-file-list>
| <welcome-file>/marktplatz/startpage.jsf</welcome-file>
| <welcome-file>/index.html</welcome-file>
| </welcome-file-list>
|
|
|
Note that /marktplatz is the secured area and there is not other area except for the login page, which resides inside the root folder of my web-app.
Now my questions:
1.)Am I assuming correctly, that a Session is only created when the user has logged in successfully or have I just coded a HUGE security leak for my webapp?
2.) I tried using a custom principal class (UserInformation implements Principal) by specifying the principalClass option for my login module and it was used throughout the login process. however in my web app I always got a SimplePrincipal object, when doing
| FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName()
|
. Why was my custom principal class not propagated into the external context, but SimplePrincipal used instead?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3979570#3979570
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3979570
More information about the jboss-user
mailing list