[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3224) RememberMe autologin mode is broken

Stefano (JIRA) jira-events at lists.jboss.org
Wed Aug 6 06:58:56 EDT 2008 

     [ https://jira.jboss.org/jira/browse/JBSEAM-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefano updated JBSEAM-3224:
----------------------------

    Attachment: RunAsOperation.patch


The attached patch fix the problem.

However Seam Space example has other issues with autologin mode because the 'authenticatedMember" variable is outjected on JpaIdentityStore.EVENT_USER_AUTHENTICATED event by the AuthenticationEvents component, while this event is not raised during an autologin.

I can't figure out, at the moment, which should be the correct event to observe. In my application I use Credentials.EVENT_CREDENTIALS_UPDATE, even if it get raised more than one time for each login or autologin.



> RememberMe autologin mode is broken
> -----------------------------------
>
>                 Key: JBSEAM-3224
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3224
>             Project: Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1.0.A1
>         Environment: Ubuntu 8.04, JBoss 4.2.2, JVM 1.6.0_04, Seam 2.1 trunk as of Aug 6th 2008.
>            Reporter: Stefano
>         Attachments: RunAsOperation.patch
>
>
> Setting remember-me autologin mode doesn't work.
> To reproduce the problem:
>  - take the Seam Space example and apply the steps described in chapter 15.3.5.1 of the reference documentation.
>  - login with "Remember me" set
>  - force the autologin mechanism by deleting the JSESSIONID cookie and clicking refresh on the browser.
> The following exception is logged:
> org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,read]
> 	at org.jboss.seam.security.Identity.checkPermission(Identity.java:563)
> 	at org.jboss.seam.security.management.IdentityManager.isUserEnabled(IdentityManager.java:127)
> 	at org.jboss.seam.security.RememberMe$1.execute(RememberMe.java:282)
> 	at org.jboss.seam.security.Identity.runAs(Identity.java:711)
> 	at org.jboss.seam.security.RunAsOperation.run(RunAsOperation.java:84)
> 	at org.jboss.seam.security.RememberMe.quietLogin(RememberMe.java:278)
> The problem is originated from what seems to me a typo in RunAsOperation class constructor, where the 'systemOp' flag is never set to true, regardless of the value passed.
>    public RunAsOperation(boolean systemOp)
>    {      
>       this();
>       systemOp = true;
>    }
> It should be:
> this.systemOp = systemOp;

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list