[jboss-user] [JBoss Seam] - Where to invoke implicit login for custom SSO?

Wed, 14 Nov 2007 23:02:27 -0800 

I'm implementing simple custom SSO, and am struggling to find the correct place 
to perform an implicit login when the user first hits the application.

I had thought that a filter would be the natural place for this, and have a 
SsoFilter created and registered with SeamFilter.  This works as I expected it 
to, BUT the call to identity.login() fails because there's no application scope 
active - the filter executes before the lifecycle sets up the context for the 
request (I think).

Here's what I see:

java.lang.IllegalStateException: No active application scope
  |         at 
org.jboss.seam.security.Configuration.instance(Configuration.java:71)
  |         at 
org.jboss.seam.security.Identity.getLoginContext(Identity.java:412)
  |         at org.jboss.seam.security.Identity.authenticate(Identity.java:324)
  |         at org.jboss.seam.security.Identity.login(Identity.java:237)
  |         at weblock.servlet.SsoFilter.doFilter(SsoFilter.java:78)
  |         at 
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

Here's what I'm basically doing in my filter:

        // taken from AuthenticationFilter from seam source.  
  |         Identity identity = (Identity) request.getSession().getAttribute( 
Seam.getComponentName(Identity.class) );
  | 
  |         identity.setUsername(value-gotten-from-sso-token);
  |         // for our requirements we don't actually need  password, and
  |         // authenticate is written accordingly
  | 
  |         // this is what blows up!
  |         String loginResult = identity.login();

Argh!  Is a filter the wrong place to do this sort of thing in Seam?  We're 
developing against jboss, deploying into weblogic, so container integration 
isn't an option.  The JSF lifecycle hooks seam uses via SeamListener look 
promising (session binding) but it doesn't look intended to be extensible, and 
I don't think the contexts are initialized there either.  We don't want any 
sort of login page - this behaviour should all be transparent to the users.

Am I missing something obvious?

Any help would be greatly appreciated.


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4104848#4104848

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4104848
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to