[jboss-user] [JBoss Seam] - Re: Exception with basic authentication

alllle do-not-reply at jboss.com
Thu Jan 31 23:31:20 EST 2008 

"shane.bryzak at jboss.com" wrote : If you're invoking a restricted method and the credentials are set (which is what the AuthenticationFilter does) then a silent login will automatically occur, with no need to explicitly call Identity.authenticate().  Digest authentication is a special case, with a special type of authenticator.  You have to keep in mind that the request may be for an unsecured resource, for which authentication may not be required.  If that is the case then you don't want to be prompting the user for their username and password.

I wasn't able to find any code to support your claim so far. 

First of all, the AuthenticationFilter is only invoked when its urlPattern matches the requested resource. This is done in the SeamFilter$FilterChainImpl inner class:

  |             if (filter instanceof AbstractFilter)
  |             {
  |                AbstractFilter bf = (AbstractFilter) filter;
  | 
  |                if ( bf.isMappedToCurrentRequestPath(request) )
  |                {
  |                   filter.doFilter(request, response, this);
  |                }
  | 
  |                else
  |                {
  |                   this.doFilter(request, response);
  |                }
  |             }            
  | 
  | 
Therefore, it will not be used if the resource requested is not a protected one.

Secondly, I'd like to see you pointing out to me where the "silent login" happens. So far with my own research, the JAAS login() is triggered via the Identity.authenticate() call. This is not a automatic process, it needs to be invoked from somewhere and it is not done with the current code if it is BASIC authentication.

I have to question that if you have done any testing on this, or even look it up in your code before making your claim. I have put in the identity fix myself and tried it out before posting my workaround, and my test confirmed that without the 2nd fix I mentioned, the authentication does not "silently" happen. You end up keep getting username/password prompt from the client browser. 



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4125357#4125357

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4125357

More information about the jboss-user mailing list