[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-729) support container authorization in JBoss

Guillaume Jeudy (JIRA) jira-events at lists.jboss.org
Thu Mar 20 09:18:51 EDT 2008

    [ http://jira.jboss.com/jira/browse/JBSEAM-729?page=comments#action_12403805 ] 
Guillaume Jeudy commented on JBSEAM-729:

Attached are a few files showing an example on how to propagate the subject to the container and use CallerIdentityLoginModule in conjunction with Seam.


<security:identity jaas-config-name="RDMRealm" />



jboss.xml (to protect the ejbs):

<?xml version="1.0" encoding="UTF-8"?>
      "-//JBoss//DTD JBOSS 4.0//EN"

login-config.xml in jboss server conf/:

<application-policy name="OracleDbRealm">
			<login-module code="org.jboss.resource.security.CallerIdentityLoginModule" flag="required">
				<module-option name="userName">defaultUser</module-option>
				<module-option name="password">defaultPass</module-option>
				<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=ReferenceDataManagerDS</module-option>
	    <application-policy name = "RDMRealm">
         <login-module code="org.jboss.security.auth.spi.UsersLoginModule" flag = "required">
           	<module-option name="usersProperties">props/rdm-users.properties</module-option>


<page view-id="/ssoauth.xhtml" action="#{ssoAuthenticator.checkLogin}" login-required="false">
    	<navigation from-action="#{ssoAuthenticator.checkLogin}">
    		<rule if-outcome="true">
	 			<redirect view-id="/showpackages.xhtml"></redirect>

	<page view-id="/*" login-required="true"/>  

	<exception class="org.jboss.seam.security.NotLoggedInException">
		<redirect view-id="/ssoauth.xhtml">
			<message severity="warn">You must be authenticated to use this application</message>
	<exception class="org.jboss.seam.security.AuthorizationException">
		<redirect view-id="/ssoauth.xhtml">
			<message severity="warn">You must be authorized to use this application</message>

ssoAuthenticator seam component:

public boolean checkLogin() {
		Identity identity = Identity.instance();
		// user may already be logged in - check
		if (identity.isLoggedIn(false)) {
			return true;

		return authenticate();

public boolean authenticate() {

		boolean authenticated = false;

                                         // get the principal and password the way you want
                                        // in my case I retrieve the principal,password populated by an NTLM servlet filter

			Identity identity = Identity.instance();
			try {

								WebAuthentication webAuth = new WebAuthentication();
				if (!webAuth.login(principalName, password)) {
					FacesMessages.instance().add("Failed to authenticate credentials, user:#0 does not exist or has wrong user/pass combination.", principalName);
					log.error("Failed WebAuthentication.login() returned false for user: #0", principalName);
					return false;

				// Identity must have 'fresh' credentials for authenticate()
				// call to proceed

				// test
				try {
					Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
					if (caller != null) {
						log.info("Subject is:" + caller);
				} catch (PolicyContextException e) {
					// TODO Auto-generated catch block
				// end test
				// set identity roles here 
				authenticated = true;
			} catch (LoginException e) {
				log.error("Failed to authenticate", e);
				FacesMessages.instance().add("Failed to authenticate, user:#0. " + e.getMessage(), principalName);
		return authenticated;

> support container authorization in JBoss
> ----------------------------------------
>                 Key: JBSEAM-729
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-729
>             Project: JBoss Seam
>          Issue Type: Feature Request
>          Components: Security
>            Reporter: Gavin King
>         Assigned To: Shane Bryzak
>             Fix For: 2.1.0.GA
> We should use the JBoss-specific Thread->Principal binding to integrate with container authorization. Make it extensible to support other containers in future.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list