This looks to me like a really useful use case and I hope we can
figure out a good solution quickly and document it. I hope someone
who knows more about JSF than I can help or the "quickly" part is
unlikely :-)
On Mar 18, 2008, at 11:05 PM, Ralf Baumhof wrote:
I have got an application where after a successful login the user
maybe must select a role (the user may be an administrator and a
standard user). So, a navigation to a role-selection-page must be
performed. We are using JSF pages for the view component, so we
have an easy and powerful navigation mechanism.
I've wondered about how to do stuff like this and have a couple
questions
- Does authenticating the user happen before or after the user
chooses the role they wish to be in?
- Is the user presented with a list of possible roles based on their
identity?
- How many web pages does this process take up? E.g., is role
selection on the same page or a different page than filling in user/
credential info?
From the web application security example (see http://
cwiki.apache.org/GMOxDOC20/web-application-security-sample.html) we
know a very good and easy way of using JAAS authentication with a
geronimo security realm. This example uses standard servlet
authentication procedure for login at web container. This procedure
requires a simple html page with the j_security_check action. So,
if we are using JSF pages we are loosing a lot of the powerful JSF
navigation features. So my attempt was to use a JSF page with a JSF
backing bean which performs the step by itself using the
LoginContext.login("my-security-realm",myCallBackHandler) method.
This also works fine, but the authentication is only done with the
ejb container. Tomcat is not informed about the user login. So the
secure pages are still restricted.
I think the reason this is tricky is that the javaee security model
has the container making the authentication and access decisions in
container code that is accessed before the control gets to any user
code.
There is no provision for the user code to either help with container
managed authentication or authorization. So, by the time control
gets to the code backing the jsf components, both authentication and
authorization should have taken place.
As a wild and unlikely idea, could some of the JSF component code
forward an appropriately munged request to the j_security_check stuff?
You might try the geronimo-specific ContextManager.login method which
will at least engage geronimo's security framework. I don't think it
will work though for repeated requests as I don't see any way for
tomcat to recognize that the next request is from the same user.
It might also be possible to fish around inside tomcat to get the
Authenticator and use that instead of ContextManager.login. Since
this is what tomcat does anyway this should install the stuff tomcat
uses to track the user.
It might also be possible to do something elegant in the new and not-
in-geronimo-yet jaspi spec.
Does the jsf spec have anything to say about this?
thanks
david jencks
Does anybody know a better way of integrating JAAS with JSF with
the purpose of not loosing the JSF navigation features??
Thanks in advance!!
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
