-
1. Re: Why is Authenticator.authenticate() called twice if it r
toby451 Nov 26, 2007 10:10 AM (in response to appendix)We're experiencing the same problem. And for us it led to a small bug as well. Our authenticate-method (unfortunately) wasn't side effect-free which led to that second call was treated differently than first one.
Question remains: Why is it called twice? -
2. Re: Why is Authenticator.authenticate() called twice if it r
toby451 Nov 26, 2007 10:42 AM (in response to appendix)The call stacks differ in the following ways!
First call to login-method:... at org.jboss.seam.security.Identity.quietLogin(Identity.java:265) at org.jboss.seam.security.Identity.isLoggedIn(Identity.java:182) at org.jboss.seam.security.Identity.isLoggedIn(Identity.java:172) at sun.reflect.GeneratedMethodAccessor748.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.seam.util.Reflections.invoke(Reflections.java:21) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:32) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:106) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:155) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:91) at se.reco.security.RecoIdentity_$$_javassist_4.isLoggedIn(RecoIdentity_$$_javassist_4.java) ...
Second call to same method:... at org.jboss.seam.security.Identity.login(Identity.java:237) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.seam.util.Reflections.invoke(Reflections.java:21) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:32) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:106) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:155) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:91) at se.reco.security.RecoIdentity_$$_javassist_4.login(RecoIdentity_$$_javassist_4.java) ...
Seems the isLoggedIn (a deceiving name) is quietly trying to login further down (up in the listing) the stack.
Maybe a bug? Or is it a requirement to write side-effect free authenticate-methods on rejected logins? -
3. Re: Why is Authenticator.authenticate() called twice if it r
pmuir Nov 26, 2007 12:48 PM (in response to appendix)"Toby451" wrote:
Maybe a bug? Or is it a requirement to write side-effect free authenticate-methods on rejected logins?
Not a bug, there is nothing in the Seam security API which specifies how many times the authenticate method is called. CVS contains events which are raised on failed/succeeded logins (as opposed to authentications). -
4. Re: Why is Authenticator.authenticate() called twice if it r
toby451 Nov 27, 2007 3:44 AM (in response to appendix)Ah, thanks for clarifying Pete.
There are actually more reports in the forum about this. Maybe it should be stressed in the reference that:
- seam might call the authenticate method at will (so to speak)
- the authenticate method (as a consequence) probably should be side-effect-free. -
5. Re: Why is Authenticator.authenticate() called twice if it r
pmuir Nov 27, 2007 6:39 AM (in response to appendix)Please file a JIRA request for this :)
-
6. Re: Why is Authenticator.authenticate() called twice if it r
b.reeve Dec 17, 2007 1:57 PM (in response to appendix)Isn't this referring to
http://jira.jboss.org/jira/browse/JBSEAM-2165
and it says it is fixed in CVS. Is it out in 2.0.0.GA? I am still having this issue in 2.0.0.GA.
Could anyone please clarify.
Thanks ! -
7. Re: Why is Authenticator.authenticate() called twice if it r
toby451 Dec 17, 2007 5:27 PM (in response to appendix)If you read the jira-issue you just posted it clearly says:
Fix Version/s: 2.0.1.CR1
/Tobias -
8. Re: Why is Authenticator.authenticate() called twice if it r
b.reeve Dec 17, 2007 6:59 PM (in response to appendix)Sorry my mistake. I read it as 2.0.0.CR1.
Thanks ! -
9. Re: Why is Authenticator.authenticate() called twice if it r
b.reeve Dec 26, 2007 2:18 PM (in response to appendix)Hi,
I downloaded Seam 2.0.1 CR1 to test the Authenticator method being called twice when the login method returns false and it looks like this issue is still there.
Could anyone please provide some insight.
Thanks ! -
10. Re: Why is Authenticator.authenticate() called twice if it r
pmuir Dec 26, 2007 3:49 PM (in response to appendix)As stated many times by both Shane and me, there is no gauruntee on how many times Seam will call the authenticate method as discussed in the security chapter.
-
11. Re: Why is Authenticator.authenticate() called twice if it r
b.reeve Dec 27, 2007 1:11 PM (in response to appendix)please refer to
http://jira.jboss.com/jira/secure/ReleaseNote.jspa?version=12311437&styleName=Html&projectId=10071&Create=Create
* [JBSEAM-2165] - Authenticator method invoked twice when login fails -
12. Re: Why is Authenticator.authenticate() called twice if it r
pmuir Dec 27, 2007 5:44 PM (in response to appendix)So the resolution message isn't clear on the issue, but the resolution was to add events called on login success and failure as documented in the security chapter. Sorry, we aren't going to be making it so it's only called once.