[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3422) Add basic method on Identity that checks for authenticated user

Sat Sep 20 01:33:20 EDT 2008

    [ https://jira.jboss.org/jira/browse/JBSEAM-3422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12430489#action_12430489 ] 

Dan Allen commented on JBSEAM-3422:
-----------------------------------

While I see the changes, the fact is there is still a case for a method that does the extremely simple task of checking whether the principal is null (but having a semantic name so it is meaningful to the developer).

Here is the use case. Put a login form on the page, then under the login form put a fragment that uses rendered="#{identity.loggedIn}". What you will discover is that during the update models phase, each portion of the tree is touched and since the rendered check occurs further down in the tree than the login form, the credentials are set when the tree walker gets there. Since the invoke application phase hasn't happened yet, the login attempt occurs in the update models phase, which is really not what the developer is intending to have happen. Thus, it is a very bad idea to use the isLoggedIn() method to bind into the UI component tree. It would be *so* much simpler just to have a method like #{identity.authenticated}. Trust the developers will like this. Several have told me as much.

I noticed that you solved the duplicate message problem by clearing the password in the public void authenticate(LoginContext loginContext) throws LoginException; method on Identity. Any reason why this cannot be applied to branch 2.0?

> Add basic method on Identity that checks for authenticated user
> ---------------------------------------------------------------
>
>                 Key: JBSEAM-3422
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3422
>             Project: Seam
>          Issue Type: Feature Request
>    Affects Versions: 2.0.3.CR1, 2.1.0.BETA1
>            Reporter: Dan Allen
>            Assignee: Dan Allen
>            Priority: Minor
>             Fix For: 2.0.3.CR2, 2.1.0.CR1
>
>   Original Estimate: 5 minutes
>  Remaining Estimate: 5 minutes
>
> People often report the their authentication method is called more than once. While there are many different conditions that can lead to this problem, the most common is developers using #{identity.loggedIn} for conditional rendering in the UI.
> Contrary to popular understanding, the #{identity.loggedIn} (alternatively written as #{identity.isLoggedIn()}) is not a simple JavaBean-style accessor method. It will attempt to perform a login if the user is not currently authenticated, thus making this method unsuitable to be used in the UI for conditional rendering. While nothing troublesome happens on successful login, when the login fails, or a guest user is browsing a page that calls this method, Seam triggers the authentication method at these arbitrary points in time.
> A very simple workaround is use either #{identity.isLoggedIn(false)} or to simply create a new method on the identity component that merely checks if the user principal is null or non-null.
> public boolean isAuthenticated() {
>     return getPrincipal() != null;
> }
> In the UI you can now use #{identity.authenticated}, which is now the preferred way to check if the user has a security principal.
> Note: You only see the double message if you add a FacesMessage in the authenticate method. If you use Seam's built in authentication messages, you don't get the double message because the quietLogin() method (called by isLoggedIn()) skips adding the messages. You aren't privy to the information of whether the authentication method was called by quietLogin() for your own message registration purposes.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira