-
1. Re: j_security_check servlet version in Seam for login
shane.bryzak Mar 12, 2008 1:45 PM (in response to timothy.timothy.freyne.msp.be)There's two options, first one is to use a container-provided LdapLoginModule (JBoss AS comes with a couple of these) by configuring Seam Security to use a different JAAS configuration - the Security chapter of the ref docs explain how to do this.
The second option, is to get the latest code from SVN and try out the new LdapIdentityStore, although this is bleeding edge code and as such isn't so stable yet, but on the other hand I wouldn't mind some feedback from users testing it in different environments ;)
-
2. Re: j_security_check servlet version in Seam for login
timothy.timothy.freyne.msp.be Mar 12, 2008 2:18 PM (in response to timothy.timothy.freyne.msp.be)Thank you for the quick reply. The thing is that in a large organisation, you have no control of the production security and how it is implemented (developping on Tomcat, via tomcat-users.xml but production is Bea Weblogic and has a realm configured) Prior to using Seam the code looked like this:
<security-constraint> <web-resource-collection> <web-resource-name>WEB Application</web-resource-name> <url-pattern>/pages/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description>Only registered users can access the application</description> <role-name>WEBuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> <form-login-config> <form-login-page>/login/login.jsp</form-login-page> <form-error-page>/login/notAuthorized.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>WEB user role</description> <role-name>WEBuser</role-name> </security-role>
The actual login form contains the action for the jsecuritycheck.
This all works and it doesn't mather how the sever retrieves the user, it just does this (the code for the actual server security is fully transparent and the only thing is myrealm and the role). But how do I do this with Seam security? How do I transparently hook into the realm? When developping in Tomcat there is no actual myrealm and because it uses the tomcat-users.xml by default it all works. Should I create a myrealm in server.xml for Tomcat? At the moment I have this code and it work however it is kind of a workaround because I need an extra choice on the login-form(in addition to username and password)
< form method="post" action="j_security_check"><input type="hidden" name="j_username" /> <input type="hidden" name="j_password" /></form> <ice:form id="loginForm"> <ice:panelGroup> <f:facet name="header">Login</f:facet> <p>Please login here</p> <ice:panelGrid columns="2"> <ice:outputLabel value="Username" /> <ice:inputText id="usernameId" value="#{identity.username}" partialSubmit="true" /> <ice:outputLabel value="Password" /> <ice:inputSecret id="passwordId" value="#{identity.password}" partialSubmit="true" redisplay="true" /> <ice:outputLabel value="Database" /> <ice:selectOneRadio partialSubmit="true" value="#{authenticator.extraThing}" converter="someConverter"> <f:selectItems value="#{authenticator.extraThings}" /> </ice:selectOneRadio> </ice:panelGrid> </ice:panelGroup> <ice:commandButton value="Login" onclick="login();" /> <script type="text/javascript"> function login(){ $('j_username').value = $('loginForm:usernameId').value; $('j_password').value = $('loginForm:passwordId').value; document.forms[0].submit(); } </script> </ice:form>
in authenticator:
private ExtraThing extraThing; ...getters and setter... public boolean authenticate() { String username = identity.getUsername(); log.info("authenticating #0", username); ... return isAuthorized; }
However this doesn't seem to be an elegant way of doing this. Is it?
Greetings,
t. -
3. Re: j_security_check servlet version in Seam for login
timothy.timothy.freyne.msp.be Mar 12, 2008 2:29 PM (in response to timothy.timothy.freyne.msp.be)According to the docs you can use something like this:
<web:authentication-filter url-pattern="*.seam" auth-type="digest" key="AA3JK34aSDlkj" realm="myrealm"
I tried this but didn't work. What is this key? Should this work? Has anyone succesfully
Thanks you for your help!
T. -
4. Re: j_security_check servlet version in Seam for login
shane.bryzak Mar 12, 2008 11:24 PM (in response to timothy.timothy.freyne.msp.be)The realm attribute has nothing to do with Tomcat realms, it is the realm presented to the user when authenticating via digest authentication.
At this stage you really need to make a choice between using your web server's security or Seam security, you can't use both. If you want to use Seam Security and be able to easily switch configurations between dev and prod then that can be easily configured in components.xml.