Hi Sergey, TomEE relies on the JAAS and Tomcat authentication mechanism. If you are working with a web application, you shouldn't need to create the InitialContext yourself. You should use JAAS just like you would do in a regular web application ( http://java.dzone.com/articles/understanding-web-security) or you can call the *request.login* method yourself (example: https://github.com/tveronezi/photodb/blob/master/photodb-web/src/main/java/photodb/service/rest/User.java - authenticate method).
More about TomEE and JAAS http://tomee.apache.org/tomee-jaas.html []s, Thiago. On Tue, Jun 11, 2013 at 8:55 AM, sergpetrov <[email protected]>wrote: > Hello everyone. > I have a problem with user authentication in my web application, with > getting particular rights being applied to users individually. With every > new user having logged in, all the other users get their effective rights > the same as the last one that logged in. > I guess that something is wrong with context usage, but cannot figure out > what exactly. And moreover, the whole idea of session/context interaction > remains vague for me. > I follow this example: > http://tomee.apache.org/examples-trunk/testing-security-3/README.html > When I am authenticated through a web browser, a new InitialContext > instance > is created based on the login data, as follows: > @Stateless > public class AuthBean { > public InitialContext login(final String login, final String password) { > Properties p = new Properties(); > p.put(Context.INITIAL_CONTEXT_FACTORY, > "org.apache.openejb.core.LocalInitialContextFactory"); > p.setProperty("openejb.authentication.realmName", > "ServiceProviderLogin"); > p.put(Context.SECURITY_PRINCIPAL, login); > p.put(Context.SECURITY_CREDENTIALS, password); > InitialContext context = null; > try { > context = new InitialContext(p); > } catch (NamingException | LoginException e) { > e.printStackTrace(); > } > return context; > } > } > > The first problem then is that user names returned from related > SessionContext instance are the same for all users, namely the name of the > last user having logged in, as returned by getUserName() method: > @Stateless > public class TestBean { > @Resource > SessionContext sessionContext; > > @RequestScoped > @TransactionAttribute(TransactionAttributeType.REQUIRED) > public String getUserName() { > System.err.println("USER NAME " + > sessionContext.getCallerPrincipal().getName()); > return sessionContext.getCallerPrincipal().getName(); > } > } > > > My second attempt to implement user authentication was based on > LoginContext. But in this case the username is returned “guest” always: > > LoginContext loginContext = new LoginContext("ServiceProviderLogin", new > MyCallbackHandler(login, password)); > loginContext.login(); > > public class MyCallbackHandler implements CallbackHandler { > private String username; > private String password; > > public MyCallbackHandler(String username, String password) { > this.username = username; > this.password = password; > } > > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > for (int i = 0; i < callbacks.length; i++) { > if (callbacks[i] instanceof NameCallback) { > NameCallback nc = (NameCallback) callbacks[i]; > nc.setName(username); > > } else if (callbacks[i] instanceof PasswordCallback) > { > PasswordCallback pc = (PasswordCallback) > callbacks[i]; > pc.setPassword(password.toCharArray()); > > } else { > throw new > UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); > } > } > } > } > > What may be wrong with these approaches? What might be the relevant reading > on this topic? > > Thank you in advance and best regards, > Sergey Petrov. > > > > -- > View this message in context: > http://openejb.979440.n4.nabble.com/Approach-to-user-authentication-tp4663643.html > Sent from the OpenEJB User mailing list archive at Nabble.com. >
