-
1. Re: identity authenticator method runs twice
shane.bryzak Nov 1, 2007 7:50 PM (in response to jgreene)This was brought up on the forums very recently. There is no guarantee how many times the authenticate method will be called.
-
2. Re: identity authenticator method runs twice
jgreene Nov 1, 2007 8:50 PM (in response to jgreene)Shane -
Thanks for the reply. Sorry I didn't find anything on the forums - guess I didn't use the right search string.
Please understand that I'm in my first Seam project, so don't know all the nuances, so I have to ask - why is there no guarantee how many times the authenticate method will be called? Is this a bug? Is there a link where this is documented besides the forums? Thanks. -
3. Re: identity authenticator method runs twice
shane.bryzak Nov 2, 2007 3:16 AM (in response to jgreene)No, this isn't a bug. If credentials have been set yet the login() method hasn't been explicitly called, Seam Security may attempt to perform a "quiet" login if any security checks (such as hasRole() or hasPermission()) are invoked. This provision allows for single sign-on etc to authenticate quietly without having to present the user with an unnecessary login form.
-
4. Re: identity authenticator method runs twice
jgreene Nov 2, 2007 8:25 AM (in response to jgreene)Thanks, Shane. That makes sense. Is it documented anywhere else, and is it configurable? I'd like to consider using the Identity feature, but we need to track failed logins and can't allow multiple login() executions with only one user action.
-
5. Re: identity authenticator method runs twice
pmuir Nov 2, 2007 8:39 AM (in response to jgreene)*login()* gets called once, *authenticate()* many times. This seems to me to perfectly acceptable behaviour.
-
6. Re: identity authenticator method runs twice
jgreene Nov 2, 2007 10:34 AM (in response to jgreene)Pete -
My login method was executing more than once because I put the following line in my components.xml file:
<security:identity authenticate-method="#{loginManager.login}" />
Of course, at the time, I wasn't aware that the authenticate method executed more than once.
I certainly trust you jboss guys, but I was just wondering if and where it was documented so I could read more about it - we will probably using single sign-on down the road. -
7. Re: identity authenticator method runs twice
jgreene Nov 5, 2007 6:45 PM (in response to jgreene)Pete -
After seeing the JIRA ticket on this, and rereading the prior posts, it occurred to me that there may have been a little confusion about the "login" method that I was referring to. I was referring to my own "login" method that is configured in components.xml to serve as the authenticator method.
In our "login" method, we want to track the number of consecutive times a user fails login with a wrong password. I've configured the components.xml file to use my "login" method, but the property for number of consecutive failed logins gets incremented by 2 when the user actually fails only once. Since the Seam security framework invites the user to write his own authenticator, then configure it to be used, having it executed twice outside the programmer's control does not seem like acceptable behavior.
I've seen the recent JIRA ticket for this. Is is still slated to be fixed in 2.0.1GA?
Thank you. -
8. Re: identity authenticator method runs twice
gothmog Nov 5, 2007 11:15 PM (in response to jgreene)I am also getting this problem and can confirm that it has been introduced in 2.0.0.CR2.
On a failed login I get two calls to the my own authenticate method and subsequently (because I add a faces message in my authenticate method) I get my two messages plus the standard Login Failed message for a total of three messages on a failed login (when I really only want two).
If I roll back to 2.0.0.BETA1 (and change nothing else) the problem goes away. Where is the JIRA for this. how do you find these things?
Troy -
9. Re: identity authenticator method runs twice
shane.bryzak Nov 5, 2007 11:36 PM (in response to jgreene)Once the following feature is implemented, you'll have a couple of extra events that you'll be able to hook into.
http://jira.jboss.org/jira/browse/JBSEAM-2200 -
10. Re: identity authenticator method runs twice
jgreene Nov 5, 2007 11:45 PM (in response to jgreene)Troy -
Thanks for the info - looks like several of us are having this problem. Here's a link to the JIRA ticket I mentioned:
http://jira.jboss.org/jira/browse/JBSEAM-2165
also, see Shane's previous post. Looks like another, more recent, ticket has just been created.
Shane -
Does the JBSEAM-2200 ticket supercede the -2165 ticket? -
11. Re: identity authenticator method runs twice
shane.bryzak Nov 6, 2007 3:59 AM (in response to jgreene)JBSEAM-2200 doesn't supercede JBSEAM-2165, and there is still no guarantee as to how many times we will call the authenticate method.
On a side note, both of these issues have now been resolved in CVS. -
12. Re: identity authenticator method runs twice
jgreene Nov 6, 2007 9:38 AM (in response to jgreene)Thanks Shane -
I'll have to try the latest of course, but when you say there's no guarantee how many times the authenticate method will be called, yet both issues have been resolved, what does that mean for those of us who write their own "login" method and configure it in components.xml using the "authenticate-method" attribute? Can we be assured that it will not execute multiple times outside the programmer's control? This double execution on a single failed login attempt is one of the big issues, isn't it?
Thanks again, Shane.
- Joe -
13. Re: identity authenticator method runs twice
shane.bryzak Nov 6, 2007 10:19 AM (in response to jgreene)There's no assurance that the authenticate-method won't be called more than once, however this shouldn't be a problem now as there are two new events, loginSuccessful and loginFailed (I'll update the docs with this) which are guaranteed only to be fired once per actual login attempt.
-
14. Re: identity authenticator method runs twice
jgreene Nov 6, 2007 10:45 AM (in response to jgreene)Fantastic! I look forward to seeing the docs. Any idea when they'll be updated?