4 Replies Latest reply on Mar 12, 2008 11:24 PM by shane.bryzak

    j_security_check servlet version in Seam for login

    timothy.timothy.freyne.msp.be
    timothy.timothy.freyne.msp.be Mar 12, 2008 11:00 AM

      Hi,
      I have read many posts about this topic but bno real solution...
      Prior to Seam we are using Form-based Authentication which works nice and is usefull for developping in Tomcat (use of tomcat-users.xml for configuration) and in production any other type of server (which has its own security but via an LDAP search).
      How can I use the transparent security of the server (have LDAP security (for password and initial company-wide roles which are predefined and cannot be altered))be integrated with  and on top of this additional security functionality which is implemented in the authenticator method.


      I was looking in the lines of either:


      - use server security via jsecuritycheck and the somehow use the seam security if server-authentication was succesfull


      or


      - use Seam security and try to login to the server security.


      I cannot get this to work and any help (code, usefull links) would be very welcome.


      Grteeings
      T.

      • 764 Views
      • Tags:
        • 1. Re: j_security_check servlet version in Seam for login
          shane.bryzak
          shane.bryzak Mar 12, 2008 1:45 PM (in response to timothy.timothy.freyne.msp.be)

          There's two options, first one is to use a container-provided LdapLoginModule (JBoss AS comes with a couple of these) by configuring Seam Security to use a different JAAS configuration - the Security chapter of the ref docs explain how to do this. 


          The second option, is to get the latest code from SVN and try out the new LdapIdentityStore, although this is bleeding edge code and as such isn't so stable yet, but on the other hand I wouldn't mind some feedback from users testing it in different environments ;)

            • Actions
          • 2. Re: j_security_check servlet version in Seam for login
            timothy.timothy.freyne.msp.be
            timothy.timothy.freyne.msp.be Mar 12, 2008 2:18 PM (in response to timothy.timothy.freyne.msp.be)

            Thank you for the quick reply. The thing is that in a large organisation, you have no control of the production security and how it is implemented (developping on Tomcat, via tomcat-users.xml but production is Bea Weblogic and has a realm configured) Prior to using Seam the code looked like this: 



            
<security-constraint>

  <web-resource-collection>

   <web-resource-name>WEB Application</web-resource-name>

   <url-pattern>/pages/*</url-pattern>

   <http-method>POST</http-method>

   <http-method>GET</http-method>

  </web-resource-collection>

  <auth-constraint>

   <description>Only registered users can access the application</description>

   <role-name>WEBuser</role-name>

  </auth-constraint>

 </security-constraint>

 <login-config>

  <auth-method>FORM</auth-method>

  <realm-name>myrealm</realm-name>

  <form-login-config>

   <form-login-page>/login/login.jsp</form-login-page>

   <form-error-page>/login/notAuthorized.jsp</form-error-page>

  </form-login-config>

 </login-config>

 <security-role>

  <description>WEB user role</description>

  <role-name>WEBuser</role-name>

 </security-role>



            The actual login form contains the action for the jsecuritycheck.


            This all works and it doesn't mather how the sever retrieves the user, it just does this (the code for the actual server security is fully transparent and the only thing is myrealm and the role). But how do I do this with Seam security? How do I transparently hook into the realm? When developping in Tomcat there is no actual myrealm and because it uses the tomcat-users.xml by default it all works. Should I create a myrealm in server.xml for Tomcat? At the moment I have this code and it work however it is kind of a workaround because I need an extra choice on the login-form(in addition to username and password) 



            < form method="post" action="j_security_check"><input

               type="hidden" name="j_username" /> <input type="hidden"

               name="j_password" /></form>


          <ice:form id="loginForm">

               <ice:panelGroup>

                    <f:facet name="header">Login</f:facet>

                    <p>Please login here</p>

                    <ice:panelGrid columns="2">

                         <ice:outputLabel value="Username" />

                         <ice:inputText id="usernameId" value="#{identity.username}"

                              partialSubmit="true" />

                         <ice:outputLabel value="Password" />

                         <ice:inputSecret id="passwordId" value="#{identity.password}"

                              partialSubmit="true" redisplay="true" />

                         <ice:outputLabel value="Database" />

                         <ice:selectOneRadio partialSubmit="true"

                              value="#{authenticator.extraThing}" converter="someConverter">

                              <f:selectItems value="#{authenticator.extraThings}" />

                         </ice:selectOneRadio>

                    </ice:panelGrid>

               </ice:panelGroup>

               <ice:commandButton value="Login" onclick="login();" />

               <script type="text/javascript">

                    function login(){

                         $('j_username').value = $('loginForm:usernameId').value;

                         $('j_password').value = $('loginForm:passwordId').value;

                                                  document.forms[0].submit();

                    }

                                   </script>

          </ice:form>



            in authenticator: 


            
private ExtraThing extraThing;

...getters and setter...

public boolean authenticate() {

          String username = identity.getUsername();

          log.info("authenticating #0", username);


...

          return isAuthorized;

     }



            However this doesn't seem to be an elegant way of doing this. Is it?


            Greetings,
            t.

              • Actions
            • 3. Re: j_security_check servlet version in Seam for login
              timothy.timothy.freyne.msp.be
              timothy.timothy.freyne.msp.be Mar 12, 2008 2:29 PM (in response to timothy.timothy.freyne.msp.be)

              According to the docs you can use something like this: 



              <web:authentication-filter url-pattern="*.seam" auth-type="digest" key="AA3JK34aSDlkj" realm="myrealm"



              I tried this but didn't work. What is this key? Should this work? Has anyone succesfully


              Thanks you for your help!
              T.

                • Actions
              • 4. Re: j_security_check servlet version in Seam for login
                shane.bryzak
                shane.bryzak Mar 12, 2008 11:24 PM (in response to timothy.timothy.freyne.msp.be)

                The realm attribute has nothing to do with Tomcat realms, it is the realm presented to the user when authenticating via digest authentication. 


                At this stage you really need to make a choice between using your web server's security or Seam security, you can't use both. If you want to use Seam Security and be able to easily switch configurations between dev and prod then that can be easily configured in components.xml.

                  • Actions