[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-967) JBoss Seam - Support authentication from a realm (on Tomcat)

Bradley Smith (JIRA) jira-events at lists.jboss.org
Fri Oct 19 08:01:03 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBSEAM-967?page=comments#action_12383418 ] 
            
Bradley Smith commented on JBSEAM-967:
--------------------------------------

I'll give it a try, but I'm somewhat reluctant to take the approach of extending the Identity class.

First, is extending a Seam component class a recommended pattern / best practice?  The approach of creating an authenticator seems better / cleaner.  If I do extend Identity, how do I make my Identity impl THE identity component for my Seam applications (what changes in the class annotations)?

Second, in the past, I've modified things like SeamTest, only to see SeamTest get completely refactored and thus break my changes.  Such changes in the class I extend basically result in my having to solve the problem N times - once for each change in the class's API.  Most recently, going from Seam 1.2.1 to Seam 2.0, some annotations got moved to new packages with no support for the old packages, isn't it just as trivial to leave a version of the old annotations in their original packages along with some kind of deprecation warning?  What's the guarantee that Identity isn't going to get a similar refactoring in methods or packaging?

Thanks

> JBoss Seam - Support authentication from a realm (on Tomcat)
> ------------------------------------------------------------
>
>                 Key: JBSEAM-967
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-967
>             Project: JBoss Seam
>          Issue Type: Feature Request
>          Components: Security
>            Reporter: Bradley Smith
>         Assigned To: Shane Bryzak
>
> Please see discussion in the JBoss forum reference.
> The idea is to allow the Seam Identity (security) component to get the Principal from the HttpServletRequest and to delegate the hasRole() calls to the HttpServletRequest as well.  This is because, in my case, Tomcat has already forced the user to authenticate if necessary and the authentication, authorization information is available in the container's HttpServletRequest impl.
> Principal userPrincipal = httpServletRequest.getUserPrincipal();
> boolean hasRole(String roleName) {
>   return httpServletRequest.isUserInRole(roleName);
> }
> public String getUsername() {
>    return httpServletRequest.getRemoteUser();
> }
> public boolean isLoggedIn() {
>   return httpServletRequest.getUserPrincipal() != null;
> }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list