Hi, dear Seamers!
I have manged to get a Login Module working which takes Users and Passwords
from an EJB3. After that I use a Session bean that takes the user principal of
the Faces Context's external context and authenticates the user with the seam
authenticator.
login-module.xml:
<application-policy name="simple">
| <authentication>
| <login-module
|
code="de.livemediagroup.security.auth.MarktplatzLoginModule"
| flag="required">
| <module-option
name="jndiEntityManagerFactory">java:/issuesEntityManagerFactory</module-option>
| </login-module>
| </authentication>
| </application-policy>
LoginModule java file:
public class MarktplatzLoginModule extends UsernamePasswordLoginModule {
|
| private static final Log log = LogFactory
| .getLog(MarktplatzLoginModule.class);
|
| private static final String JNDI_EM_CONFIG_KEY =
"jndiEntityManagerFactory";
|
| private UserInformation user;
|
| @Override
| protected String getUsersPassword() throws LoginException {
| try {
|
| InitialContext ctx = new InitialContext();
| String jndiEntityManagerFactory =
options.get(JNDI_EM_CONFIG_KEY)
| .toString();
| System.out.println(jndiEntityManagerFactory);
| EntityManagerFactory factory = (EntityManagerFactory)
ctx
| .lookup(jndiEntityManagerFactory);
| EntityManager entityManager =
factory.createEntityManager();
|
| user = (UserInformation) entityManager.createQuery(
| "from UserInformation where
login=:login").setParameter(
| "login",
getUsername()).getSingleResult();
| return user.getPassword();
| } catch (Exception e) {
| log.error("Fehler beim ermitteln des Benutzers", e);
| throw new LoginException("Fehler beim ermitteln des
Benutzers: "
| + e);
| }
| }
|
| @Override
| protected Group[] getRoleSets() throws LoginException {
| Group rolesGroup = new SimpleGroup("Roles");
| ArrayList groups = new ArrayList();
| groups.add(rolesGroup);
| try {
| Iterator<Role> roleIterator =
user.getRoles().iterator();
| while (roleIterator.hasNext()) {
|
rolesGroup.addMember(createIdentity(roleIterator.next()
| .getName()));
| }
| } catch (Exception e) {
| e.printStackTrace();
| }
| Group[] roleSets = new Group[groups.size()];
| groups.toArray(roleSets);
| return roleSets;
| }
|
| }
|
Managed seam session bean:
| @Name("login")
| @Stateful
| @Scope(ScopeType.SESSION)
| @Startup
| public class LoginBean implements Login {
|
| @Logger
| Log log;
|
| @In(create=true)
| private EntityManager entityManager;
|
| @In(create=true)
| private Conversation conversation;
|
| private UserInformation instance = new UserInformation();
|
| @Out(scope=ScopeType.SESSION, required=true)
| private UserInformation User;
|
| @Factory("User")
| @Begin(join=true)
| public void createUser() {
|
|
System.out.println(FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName());
|
| String login =
FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
| System.out.println(login + " 1 " + entityManager);
| User = (UserInformation)entityManager.createQuery("from
UserInformation where login=:login")
| .setParameter("login", login).getSingleResult();
| Authenticator.instance().authenticate(User.getLogin(),
User.getPassword());
| Contexts.getSessionContext().set("loggedIn", true);
| }
| ...
| ...
| ...
|
web.xml security:
|
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>simple</web-resource-name>
| <url-pattern>/marktplatz/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>user</role-name>
| </auth-constraint>
| </security-constraint>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <form-login-config>
| <form-login-page>/login.jsf</form-login-page>
| <form-error-page>/login.jsf</form-error-page>
| </form-login-config>
| </login-config>
|
| <welcome-file-list>
| <welcome-file>/marktplatz/startpage.jsf</welcome-file>
| <welcome-file>/index.html</welcome-file>
| </welcome-file-list>
|
|
|
Note that /marktplatz is the secured area and there is not other area except
for the login page, which resides inside the root folder of my web-app.
Now my questions:
1.)Am I assuming correctly, that a Session is only created when the user has
logged in successfully or have I just coded a HUGE security leak for my webapp?
2.) I tried using a custom principal class (UserInformation implements
Principal) by specifying the principalClass option for my login module and it
was used throughout the login process. however in my web app I always got a
SimplePrincipal object, when doing
|
FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName()
|
. Why was my custom principal class not propagated into the external context,
but SimplePrincipal used instead?
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3979570#3979570
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3979570
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
