-
1. Re: Seam securitu and JAAS
shane.bryzak Feb 14, 2011 5:07 PM (in response to tobijr)That's not quite true. While we've stopped using JAAS for the basic authentication API, we still provide a JaasAuthenticator [1] that should allow you to authenticate using an existing JAAS configuration.
As for the dependencies, there is none on JBoss AS (PicketLink is just a set of libraries that you can deploy with any Java EE application).
PicketLink offers a great number of advantages over JAAS. Besides providing a much more versatile security model, one of the best features (that Seam is making use of) is the Identity Management API.
-
2. Re: Seam securitu and JAAS
tobijr Feb 15, 2011 5:47 AM (in response to tobijr)thanks for aswering shane,
Is there an example with the JaasAuthenticator? -
3. Re: Seam securitu and JAAS
shane.bryzak Feb 15, 2011 6:09 AM (in response to tobijr)Not as such, as the example would have to make assumptions about what JAAS configurations were available in the container that you were deploying to. The JaasAuthenticator bean is dead simple to configure though, you simply need to specify the jaasConfigName property to the JAAS configuration name that you wish to use. Oh, and you need to specify jaasAuthenticator for the authenticatorName property in IdentityImpl.
-
4. Re: Seam securitu and JAAS
tobijr Feb 15, 2011 1:09 PM (in response to tobijr)ok shane, maybe its obvious for you, but I have some questions.
How can I activate the use of the JaasAuthenticator? normally the action of a login form is the
j_security_check
,
Can I still submit my form that way? or should I have a commandButton calling the jaasAuthenticator?And what about the configuration in web.xml?
can I use the configurations<login-config> and <security-constraint>
?And where do I configure the jaasConfigName?
-
5. Re: Seam securitu and JAAS
shane.bryzak Feb 15, 2011 3:31 PM (in response to tobijr)To use JaasAuthenticator for authentication you just use the standard Seam login mechanism, i.e. set the username/password properties in the Credentials bean and then call Identity.login().
To configure the jaasConfigName property, use the Seam Config module.
-
6. Re: Seam securitu and JAAS
tobijr Feb 16, 2011 1:23 PM (in response to tobijr)Thank you Shane.
But I still have a problem.
I'm using seam-config this way:
xmlns:jaas="urn:java:org.jboss.seam.security.jaas" xmlns:ss="urn:java:org.jboss.seam.security"> <jaas:JaasAuthenticator> <s:modifies /> <jaas:jaasConfigName>seg_security_domain</jaas:jaasConfigName> </jaas:JaasAuthenticator> <ss:IdentityImpl> <s:modifies /> <ss:authenticatorName>jaasAuthenticator</ss:authenticatorName> </ss:IdentityImpl>
but now it can not find the jaasAuthenticator:
ERROR [org.jboss.seam.security.IdentityImpl] No authenticator with name [jaasAuthenticator] was found
Am I doing something wrong?
-
7. Re: Seam securitu and JAAS
shane.bryzak Feb 16, 2011 4:27 PM (in response to tobijr)Ah, you just came across the same problem I had a few weeks ago. The JaasAuthenticator bean is annotated with @Model, a stereotype which makes it a named, request-scoped bean. Unfortunately the authenticator API uses an Instance to select the correct authenticator by name (using the @Named qualifier) however it doesn't work with @Model.
The problem is on my end, I need to change the annotations on the JaasAuthenticator bean to explicitly include the @Named annotation (I'll make this change immediately). For a workaround, simply copy the contents of the JaasAuthenticator class to a new bean class (call it MyJaasAuthenticator or something) and annotated it with @Named @RequestScoped, then use it in place of JaasAuthenticator. Sorry about the inconvenience.
-
8. Re: Seam securitu and JAAS
tobijr Feb 17, 2011 5:50 AM (in response to tobijr)Hi Shane,
I did what you suggested but still the selector cant find the class by the NamedLiteral
I made an iteration through authenticators and it can find myJaasAuthenticator
for (Authenticator authenticator : authenticators) { System.out.println(authenticator.toString()); }
[STDOUT] org.jboss.seam.security.jaas.JaasAuthenticator@1d4393b [STDOUT] cc.spinner.securitytest.MyJaasAuthenticator@1f95587 [STDOUT] org.jboss.seam.security.management.IdmAuthenticator@5204b0
but if I try:
Instance<Authenticator> selected = authenticators.select(new NamedLiteral("myJaasAuthenticator"));
It get unsatisfied.
-
9. Re: Seam securitu and JAAS
tobijr Feb 17, 2011 6:05 AM (in response to tobijr)w00t!
I used @Named(
withExplicitName
)and configured the IdentityImpl to use
withExplicitName
and it worked! -
10. Re: Seam securitu and JAAS
tobijr Feb 17, 2011 6:13 AM (in response to tobijr)Shane,
it's authenticating now, but when it tries to activeAuthenticator.getUser() at postAuthenticate method of IdentityImpl (line 346) it gets a null user.
Where its transforming the jaas subject at user?
-
11. Re: Seam securitu and JAAS
shane.bryzak Feb 17, 2011 6:27 AM (in response to tobijr)It seems as though you've just discovered a bug - could you please raise an issue in JIRA [1] for this? To work around this problem, add the following line to your authenticate() method in MyJaasAuthenticator, after the call to getLoginContext().login():
setUser(new SimpleUser(credentials.getUserName()));
Let me know if this still doesn't work.
-
12. Re: Seam securitu and JAAS
tobijr Feb 17, 2011 7:10 AM (in response to tobijr)Since I now have a copy of the JaasAuthenticator, I implemented it on the postAuthenticate method.
probably when you fix the @Model/@Named problem, I'll inheritate the Original JaasAuthenticator an keep using the method I developed.Thank you very much shane!
-
13. Re: Seam securitu and JAAS
tobijr Feb 17, 2011 7:44 AM (in response to tobijr)Shane,
I tried to create JBoss Comunity user(to create a Jira issue) but I couldn't since the confirmation email never arrived. actually I'm trying to register since yesterday.
Although I'll try to register again later, if you don't want to take the risk to lose the issue in the air, it would probably be better if you create it yourself.