[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-729) support container authorization in JBoss

Guillaume Jeudy (JIRA) jira-events at lists.jboss.org
Thu Mar 20 09:18:51 EDT 2008 

    [ http://jira.jboss.com/jira/browse/JBSEAM-729?page=comments#action_12403805 ] 
            
Guillaume Jeudy commented on JBSEAM-729:
----------------------------------------

Attached are a few files showing an example on how to propagate the subject to the container and use CallerIdentityLoginModule in conjunction with Seam.

components.xml:

<security:identity jaas-config-name="RDMRealm" />

jboss-web.xml:

<jboss-web>
<security-domain>java:/jaas/RDMRealm</security-domain>
</jboss-web>

jboss.xml (to protect the ejbs):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
      "-//JBoss//DTD JBOSS 4.0//EN"
      "http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/RDMRealm</security-domain>
</jboss>

login-config.xml in jboss server conf/:

<application-policy name="OracleDbRealm">
		<authentication>
			<login-module code="org.jboss.resource.security.CallerIdentityLoginModule" flag="required">
				<module-option name="userName">defaultUser</module-option>
				<module-option name="password">defaultPass</module-option>
				<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=ReferenceDataManagerDS</module-option>
			</login-module>
		</authentication>
	</application-policy>
	
	    <application-policy name = "RDMRealm">
       <authentication>
         <login-module code="org.jboss.security.auth.spi.UsersLoginModule" flag = "required">
           	<module-option name="usersProperties">props/rdm-users.properties</module-option>
          </login-module>
	  </authentication>
    </application-policy>

pages.xml:

<page view-id="/ssoauth.xhtml" action="#{ssoAuthenticator.checkLogin}" login-required="false">
    	<navigation from-action="#{ssoAuthenticator.checkLogin}">
    		<rule if-outcome="true">
	 			<redirect view-id="/showpackages.xhtml"></redirect>
	 		</rule>
    	</navigation>
    </page>

	<page view-id="/*" login-required="true"/>  

	<exception class="org.jboss.seam.security.NotLoggedInException">
		<redirect view-id="/ssoauth.xhtml">
			<message severity="warn">You must be authenticated to use this application</message>
		</redirect>
	</exception>
	
	<exception class="org.jboss.seam.security.AuthorizationException">
		<redirect view-id="/ssoauth.xhtml">
			<message severity="warn">You must be authorized to use this application</message>
		</redirect>
	</exception>

ssoAuthenticator seam component:

public boolean checkLogin() {
		Identity identity = Identity.instance();
		// user may already be logged in - check
		if (identity.isLoggedIn(false)) {
			return true;
		}

		return authenticate();
	}

public boolean authenticate() {

		boolean authenticated = false;

                                         // get the principal and password the way you want
                                        // in my case I retrieve the principal,password populated by an NTLM servlet filter


			Identity identity = Identity.instance();
			try {

								WebAuthentication webAuth = new WebAuthentication();
				if (!webAuth.login(principalName, password)) {
					FacesMessages.instance().add("Failed to authenticate credentials, user:#0 does not exist or has wrong user/pass combination.", principalName);
					log.error("Failed WebAuthentication.login() returned false for user: #0", principalName);
					return false;
				}

				// Identity must have 'fresh' credentials for authenticate()
				// call to proceed
				identity.setUsername(principalName);
				identity.setPassword(password);

				identity.authenticate();
				// test
				try {
					Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
					if (caller != null) {
						log.info("Subject is:" + caller);
					}
				} catch (PolicyContextException e) {
					// TODO Auto-generated catch block
					e.printStackTrace();
				}
				// end test
				// set identity roles here 
				authenticated = true;
			} catch (LoginException e) {
				log.error("Failed to authenticate", e);
				FacesMessages.instance().add("Failed to authenticate, user:#0. " + e.getMessage(), principalName);
			}
		}
		return authenticated;
	}


> support container authorization in JBoss
> ----------------------------------------
>
>                 Key: JBSEAM-729
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-729
>             Project: JBoss Seam
>          Issue Type: Feature Request
>          Components: Security
>            Reporter: Gavin King
>         Assigned To: Shane Bryzak
>             Fix For: 2.1.0.GA
>
>
> We should use the JBoss-specific Thread->Principal binding to integrate with container authorization. Make it extensible to support other containers in future.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list