Hello everyone.
I have a problem with user authentication in my web application, with
getting particular rights being applied to users individually. With every
new user having logged in, all the other users get their effective rights
the same as the last one that logged in.
I guess that something is wrong with context usage, but cannot figure out
what exactly. And moreover, the whole idea of session/context interaction
remains vague for me.
I follow this example:
http://tomee.apache.org/examples-trunk/testing-security-3/README.html
When I am authenticated through a web browser, a new InitialContext instance
is created based on the login data, as follows:
@Stateless
public class AuthBean {
public InitialContext login(final String login, final String password) {
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"org.apache.openejb.core.LocalInitialContextFactory");
p.setProperty("openejb.authentication.realmName",
"ServiceProviderLogin");
p.put(Context.SECURITY_PRINCIPAL, login);
p.put(Context.SECURITY_CREDENTIALS, password);
InitialContext context = null;
try {
context = new InitialContext(p);
} catch (NamingException | LoginException e) {
e.printStackTrace();
}
return context;
}
}
The first problem then is that user names returned from related
SessionContext instance are the same for all users, namely the name of the
last user having logged in, as returned by getUserName() method:
@Stateless
public class TestBean {
@Resource
SessionContext sessionContext;
@RequestScoped
@TransactionAttribute(TransactionAttributeType.REQUIRED)
public String getUserName() {
System.err.println("USER NAME " +
sessionContext.getCallerPrincipal().getName());
return sessionContext.getCallerPrincipal().getName();
}
}
My second attempt to implement user authentication was based on
LoginContext. But in this case the username is returned “guest” always:
LoginContext loginContext = new LoginContext("ServiceProviderLogin", new
MyCallbackHandler(login, password));
loginContext.login();
public class MyCallbackHandler implements CallbackHandler {
private String username;
private String password;
public MyCallbackHandler(String username, String password) {
this.username = username;
this.password = password;
}
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
NameCallback nc = (NameCallback) callbacks[i];
nc.setName(username);
} else if (callbacks[i] instanceof PasswordCallback) {
PasswordCallback pc = (PasswordCallback)
callbacks[i];
pc.setPassword(password.toCharArray());
} else {
throw new
UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
}
What may be wrong with these approaches? What might be the relevant reading
on this topic?
Thank you in advance and best regards,
Sergey Petrov.
--
View this message in context:
http://openejb.979440.n4.nabble.com/Approach-to-user-authentication-tp4663643.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
