12 Replies Latest reply on Dec 27, 2007 5:44 PM by pmuir

    Why is Authenticator.authenticate() called twice if it retur

      Hi!

      I've just generated an application with seam-gen (seam-2.0.0.CR2) and modified the Authenticator.authenticate() method to return false as well:

       public boolean authenticate()
       {
       log.info("authenticating #0", identity.getUsername());
       if ("Foo".equalsIgnoreCase(identity.getUsername())){
       identity.addRole("admin");
       log.info("Autentication: #0", "TRUE");
       return true;
       }else{
       log.info("Autentication: #0", "FALSE");
       return false;
       }
       }
      


      Now obviously a user "Foo" can log in with an arbitrary password and any other user gets an "invalid login" message. Everything's fine so far, but interestingly I'm getting two


      authenticating xxx
      Autentication: FALSE


      entries in the log, if a user "xxx" tries to log in - hence the authenticate() method is called twice.
      Could anyone explain to me, why this is the case - I thought, if an action method returns false, simple the current page is re-rendered.

      Thanks a lot for any explanations.

      Best regards, Kurt

        • 1. Re: Why is Authenticator.authenticate() called twice if it r
          toby451

          We're experiencing the same problem. And for us it led to a small bug as well. Our authenticate-method (unfortunately) wasn't side effect-free which led to that second call was treated differently than first one.

          Question remains: Why is it called twice?

          • 2. Re: Why is Authenticator.authenticate() called twice if it r
            toby451

            The call stacks differ in the following ways!

            First call to login-method:

            ...
            at org.jboss.seam.security.Identity.quietLogin(Identity.java:265)
            at org.jboss.seam.security.Identity.isLoggedIn(Identity.java:182)
            at org.jboss.seam.security.Identity.isLoggedIn(Identity.java:172)
            at sun.reflect.GeneratedMethodAccessor748.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:585)
            at org.jboss.seam.util.Reflections.invoke(Reflections.java:21)
            at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
            at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
            at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
            at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:32)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
            at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:106)
            at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:155)
            at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:91)
            at se.reco.security.RecoIdentity_$$_javassist_4.isLoggedIn(RecoIdentity_$$_javassist_4.java)
            ...
            


            Second call to same method:
            ...
            at org.jboss.seam.security.Identity.login(Identity.java:237)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:585)
            at org.jboss.seam.util.Reflections.invoke(Reflections.java:21)
            at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
            at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
            at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
            at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:32)
            at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
            at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:106)
            at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:155)
            at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:91)
            at se.reco.security.RecoIdentity_$$_javassist_4.login(RecoIdentity_$$_javassist_4.java)
            ...
            



            Seems the isLoggedIn (a deceiving name) is quietly trying to login further down (up in the listing) the stack.

            Maybe a bug? Or is it a requirement to write side-effect free authenticate-methods on rejected logins?



            • 3. Re: Why is Authenticator.authenticate() called twice if it r
              pmuir

               

              "Toby451" wrote:
              Maybe a bug? Or is it a requirement to write side-effect free authenticate-methods on rejected logins?


              Not a bug, there is nothing in the Seam security API which specifies how many times the authenticate method is called. CVS contains events which are raised on failed/succeeded logins (as opposed to authentications).

              • 4. Re: Why is Authenticator.authenticate() called twice if it r
                toby451

                Ah, thanks for clarifying Pete.

                There are actually more reports in the forum about this. Maybe it should be stressed in the reference that:
                - seam might call the authenticate method at will (so to speak)
                - the authenticate method (as a consequence) probably should be side-effect-free.

                • 5. Re: Why is Authenticator.authenticate() called twice if it r
                  pmuir

                  Please file a JIRA request for this :)

                  • 6. Re: Why is Authenticator.authenticate() called twice if it r
                    b.reeve

                    Isn't this referring to

                    http://jira.jboss.org/jira/browse/JBSEAM-2165

                    and it says it is fixed in CVS. Is it out in 2.0.0.GA? I am still having this issue in 2.0.0.GA.

                    Could anyone please clarify.

                    Thanks !

                    • 7. Re: Why is Authenticator.authenticate() called twice if it r
                      toby451

                      If you read the jira-issue you just posted it clearly says:

                      Fix Version/s: 2.0.1.CR1

                      /Tobias

                      • 8. Re: Why is Authenticator.authenticate() called twice if it r
                        b.reeve

                        Sorry my mistake. I read it as 2.0.0.CR1.

                        Thanks !

                        • 9. Re: Why is Authenticator.authenticate() called twice if it r
                          b.reeve

                          Hi,

                          I downloaded Seam 2.0.1 CR1 to test the Authenticator method being called twice when the login method returns false and it looks like this issue is still there.

                          Could anyone please provide some insight.

                          Thanks !

                          • 10. Re: Why is Authenticator.authenticate() called twice if it r
                            pmuir

                            As stated many times by both Shane and me, there is no gauruntee on how many times Seam will call the authenticate method as discussed in the security chapter.

                            • 11. Re: Why is Authenticator.authenticate() called twice if it r
                              b.reeve

                              please refer to

                              http://jira.jboss.com/jira/secure/ReleaseNote.jspa?version=12311437&styleName=Html&projectId=10071&Create=Create


                              * [JBSEAM-2165] - Authenticator method invoked twice when login fails


                              • 12. Re: Why is Authenticator.authenticate() called twice if it r
                                pmuir

                                So the resolution message isn't clear on the issue, but the resolution was to add events called on login success and failure as documented in the security chapter. Sorry, we aren't going to be making it so it's only called once.