Security: Better support for single sign on?!
stephen.friedrich Sep 19, 2007 6:49 PMI need to integrate my seam app with an existing custom made SSO solution.
After some trial and error I came up with this solution that is basically working, even with login redirection configured (using redirect.captureCurrentView/returnToCapturedView exactly like documented in the seam reference).
@Name("authenticator") @Scope(ScopeType.CONVERSATION) public class Authenticator { @In private Identity identity; private UserData userData; // This method is configured in pages.xml as an action called for all pages: // <page view-id="/*" login-required="true" action="#{authenticator.checkLogin}"/> public void checkLogin() { // if already logged on, simply continue if (identity.isLoggedIn()) { return; } // try SSO auto login HttpServletRequest request = FacesUtil.getServletRequest(); userData = new SsoAuthenticator().validateSsoToken(request); // results in a web service call if(userData != null) { identity.login(); // Don't know another, more direct way to login, so store // userData in field and check it in the authenticate method } } // This method is configured in components.xml to as the identity's authenticate-method: // <security:identity authenticate-method="#{authenticator.authenticate}"/> public boolean authenticate() { if (userData != null) { // previously a sso token has been validated - log in automatically userData = null; return true; } String userName = Identity.instance().getUsername(); String password = Identity.instance().getPassword(); userData = new SsoAuthenticator().login(userName, password); // results in a web service call if (userData == null) { FacesMessages.instance().add("Invalid username/password"); return false; } return true; } }
Small problem: After a successful sso auto login the next page displays
Warning
1. Please log in first
2. Welcome, Stephen
How can I prevent these messages or clear them afterwards?
Open issue:
If the user hit the login page directly (as opposed to being redirected when trying to access another page) I'd like to redirect after the login to different pages depending on the user's roles.
Any suggestions?
Proposal: Here's a way to make integration into an SSO solution easier:
Add an attribute to identity that lets me specify a method that is used to try auto-login:
<security:identity authenticate-method="#{authenticator.authenticate}" auto-login-method="#{authenticator.tryAutoLogin}"/>