[jboss-user] [JBoss Seam] - Re: Security: Better support for single sign on?!
sweetlandj
do-not-reply at jboss.com
Wed Dec 19 16:34:47 EST 2007
I have a slightly different solution that avoids the need to add action parameters to pages. Basically I extended Identity and overrode the isLoggedIn method. Here is some code that will implement a trivial and unsecure SSO across many co-located applications simply by passing the username and password around in a session cookie:
| package foo.seam;
|
| import java.util.Map;
| import javax.faces.context.ExternalContext;
| import javax.faces.context.FacesContext;
| import javax.servlet.http.Cookie;
| import javax.servlet.http.HttpServletResponse;
| import org.jboss.seam.ScopeType;
| import org.jboss.seam.annotations.Install;
| import org.jboss.seam.annotations.Name;
| import org.jboss.seam.annotations.Scope;
| import org.jboss.seam.annotations.Startup;
| import org.jboss.seam.annotations.intercept.BypassInterceptors;
| import org.jboss.seam.security.Identity;
|
| @Name("org.jboss.seam.security.identity")
| @Scope(ScopeType.SESSION)
| @Install(precedence = Install.APPLICATION)
| @BypassInterceptors
| @Startup
| public class SSOIdentity extends Identity {
| @Override
| public boolean isLoggedIn(boolean attemptLogin) {
| FacesContext facesCtx = FacesContext.getCurrentInstance();
| ExternalContext extCtx = facesCtx.getExternalContext();
| Map<String, Object> cookies = extCtx.getRequestCookieMap();
| Cookie username = (Cookie)cookies.get("sso.username");
| Cookie password = (Cookie)cookies.get("sso.password");
| if((username != null) && (password != null)) {
| setUsername(username.getValue());
| setPassword(password.getValue());
| }
| return super.isLoggedIn(attemptLogin);
| }
|
| @Override
| protected void postAuthenticate() {
| FacesContext facesCtx = FacesContext.getCurrentInstance();
| ExternalContext extCtx = facesCtx.getExternalContext();
| HttpServletResponse response = (HttpServletResponse)extCtx.getResponse();
|
| Cookie username = new Cookie("sso.username", getUsername());
| username.setMaxAge(-1);
| username.setPath("/");
| response.addCookie(username);
|
| Cookie password = new Cookie("sso.password", getPassword());
| password.setMaxAge(-1);
| password.setPath("/");
| response.addCookie(password);
|
| super.postAuthenticate();
| }
|
| @Override
| public void logout() {
| super.logout();
|
| FacesContext facesCtx = FacesContext.getCurrentInstance();
| ExternalContext extCtx = facesCtx.getExternalContext();
| Map<String, Object> cookies = extCtx.getRequestCookieMap();
| HttpServletResponse response = (HttpServletResponse)extCtx.getResponse();
|
| Cookie username = (Cookie)cookies.get("sso.username");
| username.setMaxAge(0);
| username.setValue(null);
| username.setPath("/");
| response.addCookie(username);
|
| Cookie password = (Cookie)cookies.get("sso.password");
| password.setMaxAge(0);
| password.setValue(null);
| username.setPath("/");
| response.addCookie(password);
| }
| }
|
|
Just drop this class in the EJB module of each app you're working with (or web module if you're using the J2EE packaging strategy with POJOs). It should work with a customer authenticate method, but I haven't tried it (I'm using the LDAP JAAS authenticate module).
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4114401#4114401
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4114401
More information about the jboss-user
mailing list