13 Replies Latest reply on Feb 17, 2011 7:44 AM by tobijr

    Seam securitu and JAAS

    tobijr

      I was reading that seam-security won't work anymore with JAAS but with PicketLink.
      I was thinking:


      1)would this create a dependency with JBoss?
      2)would be possible to make picketlink work with the JAAS principal?
      I mean, I saw that there's an integration with jaas: http://community.jboss.org/wiki/STSLoginModules
      But I'm not certain how would this work within a Single sign on solution for example.
      3)besides the group's permission which picketlink adds to the game, are there another big advantages that picketlink has over jaas?

        • 1. Re: Seam securitu and JAAS
          shane.bryzak

          That's not quite true.  While we've stopped using JAAS for the basic authentication API, we still provide a JaasAuthenticator [1] that should allow you to authenticate using an existing JAAS configuration. 


          As for the dependencies, there is none on JBoss AS (PicketLink is just a set of libraries that you can deploy with any Java EE application).


          PicketLink offers a great number of advantages over JAAS.  Besides providing a much more versatile security model, one of the best features (that Seam is making use of) is the Identity Management API.



          [1]
          https://github.com/seam/security/blob/master/impl/src/main/java/org/jboss/seam/security/jaas/JaasAuthenticator.java

          • 2. Re: Seam securitu and JAAS
            tobijr

            thanks for aswering shane,
            Is there an example with the JaasAuthenticator?

            • 3. Re: Seam securitu and JAAS
              shane.bryzak

              Not as such, as the example would have to make assumptions about what JAAS configurations were available in the container that you were deploying to.  The JaasAuthenticator bean is dead simple to configure though, you simply need to specify the jaasConfigName property to the JAAS configuration name that you wish to use.  Oh, and you need to specify jaasAuthenticator for the authenticatorName property in IdentityImpl.

              • 4. Re: Seam securitu and JAAS
                tobijr

                ok shane, maybe its obvious for you, but I have some questions.


                How can I activate the use of the JaasAuthenticator? normally the action of a login form is the

                j_security_check

                ,
                Can I still submit my form that way? or should I have a commandButton calling the jaasAuthenticator?


                And what about the configuration in web.xml?
                can I use the configurations

                 <login-config> and <security-constraint>

                  ? 


                And where do I configure the jaasConfigName?


                • 5. Re: Seam securitu and JAAS
                  shane.bryzak

                  To use JaasAuthenticator for authentication you just use the standard Seam login mechanism, i.e. set the username/password properties in the Credentials bean and then call Identity.login()


                  To configure the jaasConfigName property, use the Seam Config module.

                  • 6. Re: Seam securitu and JAAS
                    tobijr

                    Thank you Shane.


                    But I still have a problem.


                    I'm using seam-config this way:


                            xmlns:jaas="urn:java:org.jboss.seam.security.jaas"
                         xmlns:ss="urn:java:org.jboss.seam.security">
                         
                        <jaas:JaasAuthenticator>
                                 <s:modifies />
                                  <jaas:jaasConfigName>seg_security_domain</jaas:jaasConfigName>
                        </jaas:JaasAuthenticator>
                        <ss:IdentityImpl>
                                  <s:modifies />
                                  <ss:authenticatorName>jaasAuthenticator</ss:authenticatorName>
                        </ss:IdentityImpl>




                    but now it can not find the jaasAuthenticator:


                    ERROR [org.jboss.seam.security.IdentityImpl] No authenticator with name [jaasAuthenticator] was found





                    Am I doing something wrong?

                    • 7. Re: Seam securitu and JAAS
                      shane.bryzak

                      Ah, you just came across the same problem I had a few weeks ago.  The JaasAuthenticator bean is annotated with @Model, a stereotype which makes it a named, request-scoped bean.  Unfortunately the authenticator API uses an Instance to select the correct authenticator by name (using the @Named qualifier) however it doesn't work with @Model


                      The problem is on my end, I need to change the annotations on the JaasAuthenticator bean to explicitly include the @Named annotation (I'll make this change immediately).  For a workaround, simply copy the contents of the JaasAuthenticator class to a new bean class (call it MyJaasAuthenticator or something) and annotated it with @Named @RequestScoped, then use it in place of JaasAuthenticator.  Sorry about the inconvenience.

                      • 8. Re: Seam securitu and JAAS
                        tobijr

                        Hi Shane,


                        I did what you suggested but still the selector cant find the class by the NamedLiteral


                        I made an iteration through authenticators and it can find myJaasAuthenticator


                        for (Authenticator authenticator : authenticators) {
                                       System.out.println(authenticator.toString());
                                  }




                        [STDOUT] org.jboss.seam.security.jaas.JaasAuthenticator@1d4393b
                        [STDOUT] cc.spinner.securitytest.MyJaasAuthenticator@1f95587
                        [STDOUT] org.jboss.seam.security.management.IdmAuthenticator@5204b0



                        but if I try:


                        Instance<Authenticator> selected = authenticators.select(new NamedLiteral("myJaasAuthenticator"));



                        It get unsatisfied.






                        • 9. Re: Seam securitu and JAAS
                          tobijr

                          w00t!


                          I used @Named(withExplicitName)


                          and configured the IdentityImpl to use withExplicitName and it worked!



                          • 10. Re: Seam securitu and JAAS
                            tobijr

                            Shane,


                            it's authenticating now, but when it tries to activeAuthenticator.getUser() at postAuthenticate method of IdentityImpl (line 346) it gets a null user.


                            Where its transforming the jaas subject at user?

                            • 11. Re: Seam securitu and JAAS
                              shane.bryzak

                              It seems as though you've just discovered a bug - could you please raise an issue in JIRA [1] for this?  To work around this problem, add the following line to your authenticate() method in MyJaasAuthenticator, after the call to getLoginContext().login():




                              setUser(new SimpleUser(credentials.getUserName()));




                              Let me know if this still doesn't work.



                              [1] http://issues.jboss.org/browse/SEAMSECURITY

                              • 12. Re: Seam securitu and JAAS
                                tobijr

                                Since I now have a copy of the JaasAuthenticator, I implemented it on the postAuthenticate method.
                                probably when you fix the @Model/@Named problem, I'll inheritate the Original JaasAuthenticator an keep using the method I developed.


                                Thank you very much shane!

                                • 13. Re: Seam securitu and JAAS
                                  tobijr

                                  Shane,


                                  I tried to create  JBoss Comunity user(to create a Jira issue) but I couldn't since the confirmation email never arrived. actually I'm trying to register since yesterday.
                                  Although I'll try to register again later, if you don't want to take the risk to lose the issue in the air, it would probably be better if you create it yourself.