[jboss-user] [Security & JAAS/JBoss] - Re: JavaServer Faces and container-managed authorization not

poesys do-not-reply at jboss.com
Wed Aug 20 16:36:09 EDT 2008

Here is the plain jsp login page:

  | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  | <%@ page errorPage="/jsp/common/gen_error.jsp" %>
  | <jsp:include page="/jsp/includes/dyn_header.jsp" flush ="true">
  | <jsp:param name="pageName" value="Login Test" />
  | <jsp:param name="id" value="5" />
  | </jsp:include>
  | 	<form action="j_security_check" method="post">
  | 		Username: <input type="text" name="j_username" size="22"/>
  | 		Password: <input type="password" name="j_password" size="22"/>
  | 		<input type="submit" value="Login" />
  | 	</form>
  | <jsp:include page="/jsp/includes/gen_footer.jsp" flush="true" />
When I enter the myHome.faces URL, it displays this page, I enter the username and password, and it goes to the myHome.xhtml page as it should, so everything works properly. This is the same behavior I get when I use BASIC authentication as opposed to FORM. I verified that the login module being used is the DatabaseServerLoginModule (debugged into it and saw the principals being built).

So the only difference here is the plain jsp versus the Faces xhtml. Here's the code for that:
<?xml version="1.0" encoding="UTF-8"?>
  | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  | <html xmlns="http://www.w3.org/1999/xhtml"
  | 	xmlns:ui="http://java.sun.com/jsf/facelets"
  | 	xmlns:h="http://java.sun.com/jsf/html"
  | 	xmlns:f="http://java.sun.com/jsf/core" xml:lang="en" lang="en">
  | 	<f:view>
  | 		<ui:composition template="/facelets/templates/standard.xhtml">
  | 			<ui:define name="title">TAIR - Login Page</ui:define>
  | 			<ui:define name="css">
  | 				<link rel="stylesheet" type="text/css" href="/css/page/login.css" />
  | 			</ui:define>
  | 			<ui:define name="content">
  | 				<h:form>
  | 					<h:messages layout="table" globalOnly="true" errorClass="error"></h:messages>
  | 					<h:panelGrid columns="2">
  | 						<h:outputLabel for="username">User name:</h:outputLabel>
  | 						<h:inputText id="username" value="#{login.username}" />
  | 						<h:outputLabel for="password">Password:</h:outputLabel>
  | 						<h:inputSecret id="password" value="#{login.password}" />
  | 						<h:commandButton value="Login" action="#{login.login}" />
  | 						<h:outputText value="" />
  | 					</h:panelGrid>
  | 					<p>
  | 						If you forgot your username or password,
  | 						<h:commandLink value=" request your login information here."
  | 							action="request_info" />
  | 					</p>
  | 					<p>
  | 						If your personal profile does not exist in our database,
  | 						<h:commandLink value=" register " action="register" />
  | 						as a new Tair user.
  | 					</p>
  | 				</h:form>
  | 			</ui:define>
  | 		</ui:composition>
  | 	</f:view>
  | </html>
Obviously this doesn't authenticate to the container unless the code posted earlier for the login method in the managed bean does that under the covers when it calls loginContext.login(). 

I think I can live with a Facelets version of the login form using the Tomcat authentication protocol (I'll build that and test it now), but do you have any idea why the standard LoginContext code doesn't work here? This stuff is straight out of the examples and documentation. Is there some other call I need to make to tell the container about the login context subject?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4171627#4171627

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4171627

More information about the jboss-user mailing list