Seam security with JAAS config
pdpantages Mar 1, 2007 6:08 PMHello Forum,
seam 1.1.6.GA
jboss-4.0.5.GA
ajax4jsf-1.0.6
Facelets
I am trying out the new seam security.
I want to use the JAAS security as described in sec. 12.2.5.1 of the ref manual.
I would like to know if there is a working example anywhere I could look at.
What I have tried is:
We have our own policy & I have set the jaas-config-name accordingly.
Note that I saw the bug report about the documentation and am using
"jaas-config-name" instead of "jaasConfigName".
In my components.xml I have the following:
<security:identity jaas-config-name="centina"/>
My login action authenticates like so:
.... identity.setUsername(j_username); identity.setPassword(j_password); log.debug( "LoginAction: Identity Login result " + identity.login() ) ; ....
I removed the login-config an security-constraint tags from my web.xml
My web.xml now contains no JAAS security stuff in it.
When I give it a try, I find that the initial authentication works, calling our
authenticator as expected, & the identity.login() returns "success".
But the next call I make fails (see exception, below). This seems to
be due to the authentication prinicplal not being saved anywhere? The stack trace
shows a re-authentication attempt.
I looked at the source for JBossSecurityMgrRealm etc., to see how
"they did it" and noticed the following is executed if the
authentication passes: ( line 494 )
... SecurityAssociationActions.setPrincipalInfo(principal, certs,subject); . ..
The Seam Identity object does not do this (explicity anyway) as far as
I can tell.
I tried to call SecurityAssociationActions.setPrincipalInfo() myself
after my authentication, in my login action, but can't do so as the
class is not public. I suppose that this really means I shouldn't try to
do it this way :)
I get the following failure. This exception is thrown because the
username passed in is null. The username is normally set by
UsernamePasswordLoginModule.getUsernameAndPassword() via callback
functions.
Anyway, my exception is:
javax.security.auth.login.LoginException: No username specified at centina.sa.server.security.SecurityManagerLoginModule.createIdentity(SecurityManagerLoginModule.java:59) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:194) at centina.sa.server.security.SecurityManagerLoginModule.login(SecurityManagerLoginModule.java:126) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:211) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:79) at $Proxy1105.getUser(Unknown Source) .....
Here is the Thread.dumpStack() of the successful authentication by the Identity.login() method:
java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1158) at centina.sa.server.security.SecurityManager.completeLogin(SecurityManager.java:507) at centina.sa.server.security.SecurityManagerLoginModule.commit(SecurityManagerLoginModule.java:180) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:580) at org.jboss.seam.security.Identity.authenticate(Identity.java:206) at org.jboss.seam.security.Identity.authenticate(Identity.java:199) at org.jboss.seam.security.Identity.login(Identity.java:184) at centina.sa.client.session.LoginAction.login(LoginAction.java:158) .....
Any ideas (esp. an example) would be much appreciated.
Thanks, PdP