9 Replies Latest reply on Oct 3, 2007 9:16 AM by pmuir

Security Auto-Login Question

craig.barker Feb 19, 2007 2:57 PM

Hi All,

I've got a bit of a beginners question I've been struggling with for a few days now. I'm trying to use the new (1.1.6) security features and I must say they are very simple and powerful, great job.

Unfortunately all examples i've seen so far assume that a user will login to the session with a username/password and then hit the #{identity.login} button/link.

In my situation I've implemented single sign-on using NTLM authentication against windows credentials, and it works fine. The problem is i'm not sure how to execute the #{identity.login} without the user having to do anything!

Here's my authenticate object.

@Name("authenticator")
public class Authenticator
{
 @In Context sessionContext;

 @PersistenceContext(unitName="izzyDS")
 private EntityManager em;

 public boolean authenticate()
 {
 Identity.instance().setUsername(((NtlmPasswordAuthentication) sessionContext.get("NtlmHttpAuth")).getUsername());
 try
 {
 User user = (User) em.createQuery(
 "from User where username = :username")
 .setParameter("username", Identity.instance().getUsername())
 .getSingleResult();

 for (Object mem : user.getMemberships())
 {
 Identity.instance().addRole(((Membership)mem).getRole());
 }

 return true;
 }
 catch (NoResultException ex)
 {
 return false;
 }
 }

}

I'm quite flexible about the final page configuration and am running the packaged version of facelets and icefaces 1.5.3 if that helps.

I'm abit embarrassed as i've done all the difficult work and I just need this last (seemingly simple) step to get it all polished.

Many thanks in advance,

Craig

1. Re: Security Auto-Login Question

fernando_jmt Feb 19, 2007 4:00 PM (in response to craig.barker)
In the pages.xml add the page configuration for the first page you want to access (usually login.xhtml or home.html) and execute the login before rendering the page.

Somthing like:
<page view-id="/login.xhtml" action="#{identity.login}"> <navigation from-action="#{identity.login}"> <rule if="#{identity.loggedIn}"> <redirect view-id="/home.xhtml"/> </rule> </navigation> </page>

The above example means:
When you are trying to access to the page login.xhtml the identity.login action will be executed (same as pressing the button in the page, but without render anything yet), then your authenticator.authenticate method will be called, then if such method returns true, you will be logged in, and the next lines checks if you are logged in using the rule, and if that is true you can redirect the page you want, in this case it is reirecting the home.xhtml (of course already logged in).

HTH.
Actions
2. Re: Security Auto-Login Question

craig.barker Mar 12, 2007 6:17 AM (in response to craig.barker)

Excellent that did the trick.

Cheers
Actions
3. Re: Security Auto-Login Question

christian.bauer Mar 12, 2007 6:34 AM (in response to craig.barker)

It would be great if you could post the NTLM part of your solution on the Seam wiki.
Actions
4. Re: Security Auto-Login Question

jjarkko Apr 19, 2007 6:24 AM (in response to craig.barker)
What about situation where we just don't know the first Seam page the user is going to hit?

This is the case in portal environments.

Just keep hitting the #{identity.login} everytime?

<page view-id="/*" action="#{identity.login}"> </page>

Or can we use @Factory or smt?
Actions
5. Re: Security Auto-Login Question

dilator Apr 19, 2007 8:37 AM (in response to craig.barker)

"christian.bauer@jboss.com" wrote:
It would be great if you could post the NTLM part of your solution on the Seam wiki.

Sounds like it could be JCIFS http filter - jcifs.samba.org
Actions
6. Re: Security Auto-Login Question

axismundi Sep 26, 2007 7:35 AM (in response to craig.barker)

We need also NTLM authentication and the configuration is quite apparent.
However to me is not clear how to obtain the HTTP-request-headers from my authenticator.autenthicate() EJB3 bean-method in order to call request.getRemoteUser().

Seam provides Annotation for @RequestParameter, but I don't see anything like @HttpRequest to inject to javax.servlet.HttpServletRequest

any suggestion is appeciated.
Actions
7. Re: Security Auto-Login Question

craig.barker Sep 26, 2007 7:44 AM (in response to craig.barker)
Hi,

I will get around to posting this up on the WIKI but the 'day job' is currently taking up more than it's fair share of time. When it all calms down i'll get it done.

In answer to your query I use:

@In Context sessionContext; ... ((NtlmPasswordAuthentication) sessionContext.get("NtlmHttpAuth")).getUsername()

This allows me to extract the current session user's username, which I then pass off to the real authentication/authorisation code.

Hope this helps.

Craig
Actions
8. Re: Security Auto-Login Question

axismundi Sep 27, 2007 9:13 AM (in response to craig.barker)
I have no idea how you happen to have the NT-Login-name available in the session. In our configuration the NT-Login is passed as an attribute of the HTTP-request (and availble via request.getRemoteUser()).

I am using Seam 2 and I have added the authentication logic in my annotaded authentication class.

In components.xml I have configured
<security:identity authenticate-method="#{authenticator.authenticate}" />

In pages.xml I have the following config:

<page view-id="/login.xhtml"> <action execute="#{identity.login}"/> <navigation from-action="#{identity.login}"> <rule if="#{identity.loggedIn}"> <redirect view-id="/main.xhtml"></redirect> </rule> <rule if="#{not identity.loggedIn}"> <redirect view-id="/loginFailed.xhtml"></redirect> </rule> </navigation> </page>

The login.xml page is not existing. It is just a stub.
The method identity.login() should be called and itself calling authenticator.authenticate() but it isn't.
Any idea why?
Actions
9. Re: Security Auto-Login Question

pmuir Oct 3, 2007 9:16 AM (in response to craig.barker)

There are many discussions on the forum about how to execute auto-login.
Actions

Go to original post