On Mar 26, 2008, at 9:00 AM, rbaumhof wrote:
The workflow of the application should be the following:
login.jsp:
user enters userid and password and presses the login button
then:
someone (j_security_check) checks that this is a valid user. If
user and
password are valid the groups of
the users are loaded. If the user belongs only to one group (i.e.
administrator) then the
welcome page with (administration) menue is displayed.
If the user belongs to more then one group (i.e. local-
administrator and
application-user)
then:
selectRole.jsp is displayed.
Here a listbox should be displayed where he can select the role.
Now, when i describe the workflow, i see that this can not be done by
servlet authentication mechanism. I think we must write our own
filter to
watch the requested pages.
Thanks for your help!!
I can't think of any good way to do this within the servlet
authentication mechanism right now either. However, what you are
trying to do is generally a requirement of role-based authorization
systems with dynamic separation of duty constraints so I'm glad to
see there is actually some demand for the feature.
I think it may be possible to develop what you want in the (new)
JASPI spec which may be part of javaee 6 (I don't know one way or the
other). It provides for a multi-message conversation between the
client and server to establish the clients identity. It should be
possible to write a jaspi provider that can after initial
authentication ask for the desired role if there is more than one.
Geronimo doesn't implement jaspi yet but I'm hoping we can get to it
this year. If you want to contribute that would be great! If you
want to experiment with it I believe glassfish has an implementation:
I don't know if any other app servers do.
thanks!
david jencks
djencks wrote:
This looks to me like a really useful use case and I hope we can
figure out a good solution quickly and document it. I hope someone
who knows more about JSF than I can help or the "quickly" part is
unlikely :-)
On Mar 18, 2008, at 11:05 PM, Ralf Baumhof wrote:
I have got an application where after a successful login the user
maybe must select a role (the user may be an administrator and a
standard user). So, a navigation to a role-selection-page must be
performed. We are using JSF pages for the view component, so we
have an easy and powerful navigation mechanism.
I've wondered about how to do stuff like this and have a couple
questions
- Does authenticating the user happen before or after the user
chooses the role they wish to be in?
- Is the user presented with a list of possible roles based on their
identity?
- How many web pages does this process take up? E.g., is role
selection on the same page or a different page than filling in user/
credential info?
From the web application security example (see http://
cwiki.apache.org/GMOxDOC20/web-application-security-sample.html) we
know a very good and easy way of using JAAS authentication with a
geronimo security realm. This example uses standard servlet
authentication procedure for login at web container. This procedure
requires a simple html page with the j_security_check action. So,
if we are using JSF pages we are loosing a lot of the powerful JSF
navigation features. So my attempt was to use a JSF page with a JSF
backing bean which performs the step by itself using the
LoginContext.login("my-security-realm",myCallBackHandler) method.
This also works fine, but the authentication is only done with the
ejb container. Tomcat is not informed about the user login. So the
secure pages are still restricted.
I think the reason this is tricky is that the javaee security model
has the container making the authentication and access decisions in
container code that is accessed before the control gets to any user
code.
There is no provision for the user code to either help with container
managed authentication or authorization. So, by the time control
gets to the code backing the jsf components, both authentication and
authorization should have taken place.
As a wild and unlikely idea, could some of the JSF component code
forward an appropriately munged request to the j_security_check
stuff?
You might try the geronimo-specific ContextManager.login method which
will at least engage geronimo's security framework. I don't think it
will work though for repeated requests as I don't see any way for
tomcat to recognize that the next request is from the same user.
It might also be possible to fish around inside tomcat to get the
Authenticator and use that instead of ContextManager.login. Since
this is what tomcat does anyway this should install the stuff tomcat
uses to track the user.
It might also be possible to do something elegant in the new and not-
in-geronimo-yet jaspi spec.
Does the jsf spec have anything to say about this?
thanks
david jencks
Does anybody know a better way of integrating JAAS with JSF with
the purpose of not loosing the JSF navigation features??
Thanks in advance!!
____________________________________________________________________
_
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu
sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
--
View this message in context: http://www.nabble.com/How-to-use-JAAS-
with-JSF-%2C-best-practice-tp16137644s134p16304268.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
