7 Replies Latest reply on May 18, 2006 6:10 PM by ricardoarguello

Login Status and Failure Messages with Form Based security

skidvd May 31, 2005 11:10 AM

Hello:

I have a JSF based web app that is successfully using form based authentication as shown below in the web.xml snippet:

 <security-constraint>
 <web-resource-collection>
 <web-resource-name>SCFDB</web-resource-name>
 <url-pattern>/admin/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>SCFDBUser</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

 <login-config>
 <auth-method>FORM</auth-method>
 <realm-name>SCFDB</realm-name>
 <form-login-config>
 <form-login-page>/login.faces</form-login-page>
 <form-error-page>/login-error.faces</form-error-page>
 </form-login-config>
 </login-config>

The realm is mapped to a fairly simple extension of the DatabaseServerLoginModule in the login-config.xml:

 <application-policy name = "SCFDB">
 <authentication>
 <!-- TEG moving to custom LoginManager
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
 -->
 <login-module code = "nuwss.edb.scfdb.security.SCFDBLoginModule"
 flag = "required">
 <module-option name = "dsJndiName">java:jdbc/scfdb</module-option>
 <module-option name = "principalsQuery">select password_cur, password_exp, login_failed_attempts, locked_flag, last_name, first_name, email, title from user_accounts where login_name=?</module-option>
 <module-option name = "rolesQuery">select role, role_group from use
r_roles where login_name=?</module-option>
 <module-option name = "hashAlgorithm">SHA1</module-option>
 <module-option name = "hashEncoding">BASE64</module-option>
 </login-module>
 </authentication>
 </application-policy>

The presentation of the form based login and login-error pages as well as the authentication are all working as expected. My question has to do with the presentation of additional status and error messages. This application has requirements that include messages similar to the following:

- (Upon successful logon) "WARNING: Your password is about to expire. It will expire in 5 days"...
- (Upon failed logon attempt) "Your account has been adminstratively locked..."
- (Upon failed logon attempt) "Your account has been disabled..."
etc., etc.

My simple extension to DatabaseServerLoginModule, SCFDBLoginModule, allows me to detect each of these conditions. However, I appear to have no way to report this status to the user from within the extension - at least that I can find so far?

As this is a JSF application, the ideal would be to be able to add a FacesMessage, but the j_security_check appears to be processed before a FecesContext is in attached. My second thought was to add the required info to the users' session and use a listener, filter or PhaseListener to convert these to FacesMessages at the appropriate time - the problem here is that I don not appear to have any access to the session from within the DatabaseServerLoginModule extension?

Any and all thoughts and ideas will be greatly appreciated.

1. Re: Login Status and Failure Messages with Form Based securi

rpa_rio May 31, 2005 3:02 PM (in response to skidvd)

I need to do the same thing here, can you send to me your login-config.xml and the other files to undertand better the JAAS configuration under JBOSS?
Actions
2. Re: Login Status and Failure Messages with Form Based securi

rpa_rio May 31, 2005 4:08 PM (in response to skidvd)

Can i put login-config.xml inside myapp.sar or i need to add entries to login-config.xml that exist in $jboss/server/defaul/conf directory?
Actions
3. Re: Login Status and Failure Messages with Form Based securi

tcherel May 31, 2005 4:39 PM (in response to skidvd)

you can put it in you sar file.
Check the DynamicLoginConfig stuff in the Wiki pages: http://wiki.jboss.org/wiki/Wiki.jsp?page=DynamicLoginConfig
Actions
4. Re: Login Status and Failure Messages with Form Based securi

skidvd May 31, 2005 4:48 PM (in response to skidvd)

Can we please get this thread back to it's original question - how can login and status messages get propogated back to the user of a web based application.
Actions
5. Re: Login Status and Failure Messages with Form Based securi

starksm64 Jun 4, 2005 9:40 AM (in response to skidvd)

See the FormAuthValve in the following wiki page:

http://wiki.jboss.org/wiki/Wiki.jsp?page=CustomizingSecurityUsingValves
Actions
6. Re: Login Status and Failure Messages with Form Based securi

skidvd Jun 21, 2005 9:42 AM (in response to skidvd)

Thanks Scott for the pointer to the Valve Wiki. This will likely work as well. I have also implemented a different solution that basically temporarily stores a user's "login messages" (password expiration warnings, locked accounts, etc.) collected in the extended LoginModule and subsequently displays them in a JSF PhaseListener. From a high level this is the same sort of solution that the valve would offer, except that it avoids my tight dependcy on Tomcat's Valve.

Of course, both solutions are entirely dependant upon an extension to the JBoss DatabaseLoginModule. It's suprising that the JAAS spec does not standardize a way of handling these sorts of additional security messages that many apps require. Are you aware of any additional work or extensions in this area?
Actions
7. Re: Login Status and Failure Messages with Form Based securi

ricardoarguello May 18, 2006 6:10 PM (in response to skidvd)

You should check the ExtendedFormAuthenticator, available in JBoss 4.0.3+:

http://wiki.jboss.org/wiki/Wiki.jsp?page=ExtendedFormAuthenticator

It's more flexible than the FormAuthValve trick.
Actions

Go to original post