8 Replies Latest reply on Nov 22, 2006 7:25 PM by dabubble

    Seam security example failure.

    elenh

      Hello,

      I have downloaded the most recently version of seam from CVS and I am trying to deploy the security example.
      I think I have understood what is written in the wiki (SeamAuthenticationGuide), but I continually get the following exception:

      13:59:13,109 INFO [SessionFactoryImpl] closing
      13:59:13,109 INFO [SchemaExport] Running hbm2ddl schema export
      13:59:13,109 INFO [SchemaExport] exporting generated schema to database
      13:59:13,109 INFO [SchemaExport] schema export complete
      13:59:13,109 INFO [EARDeployer] Undeploying J2EE application, destroy step: file:/C:/servers/jboss_4_0_4_GA/server/default/deploy/seam-security.ear
      13:59:13,109 INFO [EARDeployer] Undeployed J2EE application: file:/C:/servers/jboss_4_0_4_GA/server/default/deploy/seam-security.ear
      13:59:13,125 INFO [EARDeployer] Init J2EE application: file:/C:/servers/jboss_4_0_4_GA/server/default/deploy/seam-security.ear
      13:59:13,140 ERROR [MetaData] Cannot obtain unauthenticated principal
      13:59:13,750 INFO [Ejb3DescriptorHandler] adding class annotation org.jboss.annotation.internal.DefaultInterceptorMarker to org.jboss.seam.example.security.LoginAction org.jboss.annotation.internal.DefaultInterceptorMarkerImpl@18339aa
      13:59:13,781 INFO [Ejb3DescriptorHandler] adding class annotation org.jboss.annotation.internal.DefaultInterceptorMarker to org.jboss.seam.example.security.ProtectedAction org.jboss.annotation.internal.DefaultInterceptorMarkerImpl@9c393d
      13:59:13,843 INFO [Ejb3Deployment] EJB3 deployment time took: 140
      13:59:13,890 INFO [JmxKernelAbstraction] installing MBean: persistence.units:ear=seam-security.ear,jar=seam-security.jar,unitName=securityDatabase with dependencies:
      13:59:13,890 INFO [JmxKernelAbstraction] jboss.jca:name=securityDatasource,service=ManagedConnectionFactory
      13:59:13,921 INFO [Ejb3Configuration] found EJB3 Entity bean: org.jboss.seam.example.security.Role
      13:59:13,921 INFO [Ejb3Configuration] found EJB3 Entity bean: org.jboss.seam.example.security.User
      13:59:13,921 WARN [Ejb3Configuration] Persistence provider caller does not implements the EJB3 spec correctly. PersistenceUnitInfo.getNewTempClassLoader() is null.
      13:59:13,921 INFO [Configuration] Reading mappings from resource: META-INF/orm.xml
      13:59:13,921 INFO [Ejb3Configuration] [PersistenceUnit: securityDatabase] no META-INF/orm.xml found
      13:59:13,921 INFO [AnnotationBinder] Binding entity from annotated class: org.jboss.seam.example.security.Role
      13:59:13,921 INFO [EntityBinder] Bind entity org.jboss.seam.example.security.Role on table Role
      13:59:13,921 INFO [AnnotationBinder] Binding entity from annotated class: org.jboss.seam.example.security.User
      13:59:13,921 INFO [EntityBinder] Bind entity org.jboss.seam.example.security.User on table User
      13:59:13,937 INFO [CollectionBinder] Mapping collection: org.jboss.seam.example.security.User.roles -> Role
      13:59:14,000 INFO [ConnectionProviderFactory] Initializing connection provider: org.hibernate.ejb.connection.InjectedDataSourceConnectionProvider
      13:59:14,000 INFO [InjectedDataSourceConnectionProvider] Using provided datasource
      13:59:14,000 INFO [SettingsFactory] RDBMS: HSQL Database Engine, version: 1.8.0
      13:59:14,000 INFO [SettingsFactory] JDBC driver: HSQL Database Engine Driver, version: 1.8.0
      13:59:14,000 INFO [Dialect] Using dialect: org.hibernate.dialect.HSQLDialect
      13:59:14,000 INFO [TransactionFactoryFactory] Transaction strategy: org.hibernate.ejb.transaction.JoinableCMTTransactionFactory
      13:59:14,015 INFO [TransactionManagerLookupFactory] instantiating TransactionManagerLookup: org.hibernate.transaction.JBossTransactionManagerLookup
      13:59:14,015 INFO [TransactionManagerLookupFactory] instantiated TransactionManagerLookup
      13:59:14,015 INFO [SettingsFactory] Automatic flush during beforeCompletion(): disabled
      13:59:14,015 INFO [SettingsFactory] Automatic session close at end of transaction: disabled
      13:59:14,015 INFO [SettingsFactory] JDBC batch size: 15
      13:59:14,015 INFO [SettingsFactory] JDBC batch updates for versioned data: disabled
      13:59:14,015 INFO [SettingsFactory] Scrollable result sets: enabled
      13:59:14,015 INFO [SettingsFactory] JDBC3 getGeneratedKeys(): disabled
      13:59:14,015 INFO [SettingsFactory] Connection release mode: auto
      13:59:14,015 INFO [SettingsFactory] Default batch fetch size: 1
      13:59:14,015 INFO [SettingsFactory] Generate SQL with comments: disabled
      13:59:14,015 INFO [SettingsFactory] Order SQL updates by primary key: disabled
      13:59:14,015 INFO [SettingsFactory] Query translator: org.hibernate.hql.ast.ASTQueryTranslatorFactory
      13:59:14,015 INFO [ASTQueryTranslatorFactory] Using ASTQueryTranslatorFactory
      13:59:14,015 INFO [SettingsFactory] Query language substitutions: {}
      13:59:14,015 INFO [SettingsFactory] Second-level cache: enabled
      13:59:14,015 INFO [SettingsFactory] Query cache: disabled
      13:59:14,015 INFO [SettingsFactory] Cache provider: org.hibernate.cache.HashtableCacheProvider
      13:59:14,015 INFO [SettingsFactory] Optimize cache for minimal puts: disabled
      13:59:14,015 INFO [SettingsFactory] Structured second-level cache entries: disabled
      13:59:14,015 INFO [SettingsFactory] Echoing all SQL to stdout
      13:59:14,015 INFO [SettingsFactory] Statistics: disabled
      13:59:14,015 INFO [SettingsFactory] Deleted entity synthetic identifier rollback: disabled
      13:59:14,015 INFO [SettingsFactory] Default entity-mode: pojo
      13:59:14,015 INFO [SessionFactoryImpl] building session factory
      13:59:14,046 INFO [SessionFactoryObjectFactory] Not binding factory to JNDI, no JNDI name configured
      13:59:14,062 INFO [SchemaExport] Running hbm2ddl schema export
      13:59:14,062 INFO [SchemaExport] exporting generated schema to database
      13:59:14,078 INFO [SchemaExport] Executing import script: /import.sql
      13:59:14,078 INFO [SchemaExport] schema export complete
      13:59:14,078 INFO [NamingHelper] JNDI InitialContext properties:{java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory, java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces}
      13:59:14,125 INFO [JmxKernelAbstraction] installing MBean: jboss.j2ee:ear=seam-security.ear,jar=seam-security.jar,name=LoginAction,service=EJB3 with dependencies:
      13:59:14,421 INFO [EJBContainer] STARTED EJB: org.jboss.seam.example.security.LoginAction ejbName: LoginAction
      13:59:14,453 INFO [JmxKernelAbstraction] installing MBean: jboss.j2ee:ear=seam-security.ear,jar=seam-security.jar,name=ProtectedAction,service=EJB3 with dependencies:
      13:59:14,468 WARN [ServiceController] Problem starting service jboss.j2ee:ear=seam-security.ear,jar=seam-security.jar,name=ProtectedAction,service=EJB3
      java.lang.RuntimeException: javax.naming.NameNotFoundException: jaas not bound
       at org.jboss.ejb3.security.AuthenticationInterceptorFactory.createPerClass(AuthenticationInterceptorFactory.java:56)
       at org.jboss.aop.advice.AspectFactoryDelegator.createPerClass(AspectFactoryDelegator.java:107)
       at org.jboss.aop.Advisor.addPerClassAspect(Advisor.java:598)
       at org.jboss.aop.advice.ScopedInterceptorFactory.create(ScopedInterceptorFactory.java:72)
       at org.jboss.aop.Advisor.createInterceptorChain(Advisor.java:646)
       at org.jboss.aop.Advisor.pointcutResolved(Advisor.java:916)
       at org.jboss.aop.Advisor.resolveMethodPointcut(Advisor.java:678)
       at org.jboss.aop.ClassContainer.createInterceptorChains(ClassContainer.java:246)
       at org.jboss.aop.ClassContainer.rebuildInterceptors(ClassContainer.java:113)
       at org.jboss.aop.ClassContainer.initializeClassContainer(ClassContainer.java:56)
       at org.jboss.ejb3.EJBContainer.start(EJBContainer.java:497)
       at org.jboss.ejb3.SessionContainer.start(SessionContainer.java:82)
       at org.jboss.ejb3.stateless.StatelessContainer.start(StatelessContainer.java:80)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.ejb3.ServiceDelegateWrapper.startService(ServiceDelegateWrapper.java:99)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978)
       at $Proxy0.start(Unknown Source)
       at org.jboss.system.ServiceController.start(ServiceController.java:417)
       at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy72.start(Unknown Source)
       at org.jboss.ejb3.JmxKernelAbstraction.install(JmxKernelAbstraction.java:82)
       at org.jboss.ejb3.Ejb3Deployment.registerEJBContainer(Ejb3Deployment.java:439)
       at org.jboss.ejb3.Ejb3Deployment.start(Ejb3Deployment.java:486)
       at org.jboss.ejb3.Ejb3Module.startService(Ejb3Module.java:139)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978)
       at $Proxy0.start(Unknown Source)
       at org.jboss.system.ServiceController.start(ServiceController.java:417)
       at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy36.start(Unknown Source)
       at org.jboss.ejb3.EJB3Deployer.start(EJB3Deployer.java:449)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
       at org.jboss.mx.interceptor.DynamicInterceptor.invoke(DynamicInterceptor.java:97)
       at org.jboss.system.InterceptorServiceMBeanSupport.invokeNext(InterceptorServiceMBeanSupport.java:238)
       at org.jboss.ws.server.WebServiceDeployer.start(WebServiceDeployer.java:117)
       at org.jboss.deployment.SubDeployerInterceptorSupport$XMBeanInterceptor.start(SubDeployerInterceptorSupport.java:188)
       at org.jboss.deployment.SubDeployerInterceptor.invoke(SubDeployerInterceptor.java:95)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy37.start(Unknown Source)
       at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1007)
       at org.jboss.deployment.MainDeployer.start(MainDeployer.java:997)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:808)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:771)
       at sun.reflect.GeneratedMethodAccessor12.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy6.deploy(Unknown Source)
       at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:421)
       at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:610)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:263)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.loop(AbstractDeploymentScanner.java:274)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.run(AbstractDeploymentScanner.java:225)
      Caused by: javax.naming.NameNotFoundException: jaas not bound
       at org.jnp.server.NamingServer.getBinding(NamingServer.java:529)
       at org.jnp.server.NamingServer.getBinding(NamingServer.java:537)
       at org.jnp.server.NamingServer.getObject(NamingServer.java:543)
       at org.jnp.server.NamingServer.lookup(NamingServer.java:267)
       at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:625)
       at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:587)
       at javax.naming.InitialContext.lookup(InitialContext.java:351)
       at org.jboss.ejb3.security.AuthenticationInterceptorFactory.createPerClass(AuthenticationInterceptorFactory.java:51)
       ... 111 more
      


      Also I'm not sure with what I have to write in the seam-security.xml file where the realm has to be defined:

      <!-- do i need to really specify the realm here? perhaps only
       provide SeamRealm and make it extensible/pluggable into
       various target authentication mechanisms, e.g. TOMCAT, JAAS, custom, etc -->
      
       <realm className="org.jboss.seam.security.realm.JaasRealm">
       <!--param name="target">TOMCAT</param-->
       <!--param name="target">JAAS</param-->
       </realm>
      


      As there is no file named JaasRealm. I guess that this should define the security domain, but I don't understand how to deal with it.

      I'm new to JBoss - seam and even more in JAAS, and I' m really messed up with the configuration needed so as to bind JAAS to a seam application, so any help is welcomed!!!

      Thanks,
      Elenh.

        • 1. Re: Seam security example failure.
          shane.bryzak

          I'm not sure what's causing the exception, but seam-security.xml is currently not being used so no need to include it for the time being. That may change once page security is implemented, but for now the only configuration is in components.xml.

          I'll be working on getting this stuff complete real soon now, so I'd recommend waiting a couple of weeks if possible until the security API is more final. It should be a whole lot simpler to use and easier to configure once it's complete.

          • 2. Re: Seam security example failure.

            Hello sbryzak2,
            I would like to know when you plan to release your final version of the Security API.

            Thnx,
            Yogesh
            M-ITC LTD
            http://www.m-itc.net

            • 3. Re: Seam security example failure.
              shane.bryzak

              I'm working on it right now, but I don't think it will be ready for the next Seam release. Though having said that, it's almost in a state where it can be used - if you take a look at the security example now you'll see it's been greatly simplified. It would be great to get some feedback from people who are willing to try it out :)

              • 4. Re: Seam security example failure.

                Hi Shane,
                Thnx for replying.....The example is working only with Seam from CVS, right ? I am working on a project with Seam 1.0.1.GA and wud have loved to get this working with it. Can you confirm plz ??

                Best Regards,
                Yogesh,
                M-ITC LTD
                www.m-itc.net

                • 5. Re: Seam security example failure.
                  dajevtic

                  Hi, dear Seamers!
                  I have manged to get a Login Module working which takes Users and Passwords from an EJB3. After that I use a Session bean that takes the user principal of the Faces Context's external context and authenticates the user with the seam authenticator.

                  login-module.xml:

                  <application-policy name="simple">
                   <authentication>
                   <login-module
                   code="de.livemediagroup.security.auth.MarktplatzLoginModule"
                   flag="required">
                   <module-option name="jndiEntityManagerFactory">java:/issuesEntityManagerFactory</module-option>
                   </login-module>
                   </authentication>
                   </application-policy>


                  LoginModule java file:
                  public class MarktplatzLoginModule extends UsernamePasswordLoginModule {
                  
                   private static final Log log = LogFactory
                   .getLog(MarktplatzLoginModule.class);
                  
                   private static final String JNDI_EM_CONFIG_KEY = "jndiEntityManagerFactory";
                  
                   private UserInformation user;
                  
                   @Override
                   protected String getUsersPassword() throws LoginException {
                   try {
                  
                   InitialContext ctx = new InitialContext();
                   String jndiEntityManagerFactory = options.get(JNDI_EM_CONFIG_KEY)
                   .toString();
                   System.out.println(jndiEntityManagerFactory);
                   EntityManagerFactory factory = (EntityManagerFactory) ctx
                   .lookup(jndiEntityManagerFactory);
                   EntityManager entityManager = factory.createEntityManager();
                  
                   user = (UserInformation) entityManager.createQuery(
                   "from UserInformation where login=:login").setParameter(
                   "login", getUsername()).getSingleResult();
                   return user.getPassword();
                   } catch (Exception e) {
                   log.error("Fehler beim ermitteln des Benutzers", e);
                   throw new LoginException("Fehler beim ermitteln des Benutzers: "
                   + e);
                   }
                   }
                  
                   @Override
                   protected Group[] getRoleSets() throws LoginException {
                   Group rolesGroup = new SimpleGroup("Roles");
                   ArrayList groups = new ArrayList();
                   groups.add(rolesGroup);
                   try {
                   Iterator<Role> roleIterator = user.getRoles().iterator();
                   while (roleIterator.hasNext()) {
                   rolesGroup.addMember(createIdentity(roleIterator.next()
                   .getName()));
                   }
                   } catch (Exception e) {
                   e.printStackTrace();
                   }
                   Group[] roleSets = new Group[groups.size()];
                   groups.toArray(roleSets);
                   return roleSets;
                   }
                  
                  }
                  


                  Managed seam session bean:
                  @Name("login")
                  @Stateful
                  @Scope(ScopeType.SESSION)
                  @Startup
                  public class LoginBean implements Login {
                  
                   @Logger
                   Log log;
                  
                   @In(create=true)
                   private EntityManager entityManager;
                  
                   @In(create=true)
                   private Conversation conversation;
                  
                   private UserInformation instance = new UserInformation();
                  
                   @Out(scope=ScopeType.SESSION, required=true)
                   private UserInformation User;
                  
                   @Factory("User")
                   @Begin(join=true)
                   public void createUser() {
                  
                   System.out.println(FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName());
                  
                   String login = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
                   System.out.println(login + " 1 " + entityManager);
                   User = (UserInformation)entityManager.createQuery("from UserInformation where login=:login")
                   .setParameter("login", login).getSingleResult();
                   Authenticator.instance().authenticate(User.getLogin(), User.getPassword());
                   Contexts.getSessionContext().set("loggedIn", true);
                   }
                  ...
                  ...
                  ...
                  


                  web.xml security:

                  
                   <security-constraint>
                   <web-resource-collection>
                   <web-resource-name>simple</web-resource-name>
                   <url-pattern>/marktplatz/*</url-pattern>
                   </web-resource-collection>
                   <auth-constraint>
                   <role-name>user</role-name>
                   </auth-constraint>
                   </security-constraint>
                  
                   <login-config>
                   <auth-method>FORM</auth-method>
                   <form-login-config>
                   <form-login-page>/login.jsf</form-login-page>
                   <form-error-page>/login.jsf</form-error-page>
                   </form-login-config>
                   </login-config>
                  
                   <welcome-file-list>
                   <welcome-file>/marktplatz/startpage.jsf</welcome-file>
                   <welcome-file>/index.html</welcome-file>
                   </welcome-file-list>
                  
                  
                  


                  Note that /marktplatz is the secured area and there is not other area except for the login page, which resides inside the root folder of my web-app.

                  Now my questions:
                  1.)Am I assuming correctly, that a Session is only created when the user has logged in successfully or have I just coded a HUGE security leak for my webapp?
                  2.) I tried using a custom principal class (UserInformation implements Principal) by specifying the principalClass option for my login module and it was used throughout the login process. however in my web app I always got a SimplePrincipal object, when doing

                  FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName()
                  


                  . Why was my custom principal class not propagated into the external context, but SimplePrincipal used instead?



                  • 6. Re: Seam security example failure.
                    dajevtic

                    Almost forgot the login page :-)

                    
                    <s:form method="POST" action="j_security_check">
                     <h:panelGrid columns="2"
                     >
                    
                     <f:facet name="header">
                     <h:panelGroup>
                     <h:outputText value="Login" />
                     </h:panelGroup>
                     </f:facet>
                    
                    
                     <h:outputLabel value="Benutzername:" for="username" />
                     <t:inputText forceId="true" id="j_username" />
                    
                     <h:outputLabel value="Passwort:" for="password" />
                     <t:inputSecret forceId="true" id="j_password" />
                    
                    
                     <f:facet name="footer">
                     <h:panelGroup>
                    
                     <h:commandButton type="submit" value="Anmelden" />
                    
                     </h:panelGroup>
                     </f:facet>
                    
                     </h:panelGrid>
                     </s:form>
                    
                    


                    I use my-faces 1.1.5-snapshot but a simple html or jsp login page will do just as well.

                    P.S. please excuse the System.out.println and german text's in my code: QUICK AND DIRTY allnighter ;-)

                    • 7. Re: Seam security example failure.
                      dabubble

                      Very nice, thanks! I just spent 2 days trying to do things the other way around.

                      Is your component IsUserInRole working fine?

                      • 8. Re: Seam security example failure.
                        dabubble

                         


                        2.) I tried using a custom principal class (UserInformation implements Principal) by specifying the principalClass option for my login module and it was used throughout the login process. however in my web app I always got a SimplePrincipal object, when doing


                        You have to override the login() method in you CustomLoginModule in order to use your own principal.

                        ex:

                        public boolean login() throws LoginException
                        {
                        if (super.login())
                        {
                        caller = new CustomPrincipal(getUsername());
                        return true;
                        }
                        return false;
                        }