1 2 Previous Next 24 Replies Latest reply on Apr 17, 2009 10:54 AM by betatesteur

Seam and security context

chawax Apr 28, 2008 2:29 PM

Hi,

I have a Seam application using EJB components. Some EJB components have an interceptor to check security, so I need to retrieve the principal. I did it this way :

public class SecurityInterceptor 
{
    @javax.annotation.Resource
    protected javax.ejb.SessionContext context;

    @javax.interceptor.AroundInvoke
    public Object execute(javax.interceptor.InvocationContext ctx)
        throws Exception 
    {
        try
        {
             if (context != null) {
                  if (context.getCallerPrincipal() != null) {
                      System.out.println(context.getCallerPrincipal().getName());
                  }
             }
            return ctx.proceed();
        }
        catch (Exception e)
        {
             e.printStackTrace();
            throw e;
        }
    }
}

This interceptor works well when I run unit tests with JBoss microcontainer. But it fails when I call EJBs from a Seam component, with a No valid security context for the caller identity message.

I wrote an authenticator Seam component, with this authenticate method :

public boolean authenticate()
        throws java.lang.Exception
{
    String username = Identity.instance()getUsername();
    String password = Identity.instance().getPassword();
    VOCompteUtilisateur utilisateur = getServiceUtilisateur().getCompteUtilisateur(username);
    if (utilisateur != null && utilisateur.getPassword().equals(password)) {
         this.utilisateur = utilisateur;
            this.actor.setId(utilisateur.getMatriculeEmploye());
           this.actor.getGroupActorIds().add(utilisateur.getMatriculeEmploye());
            StringTokenizer roles = new StringTokenizer(utilisateur.getRoles(),",");
            while (roles.hasMoreTokens()) {
                 String role = roles.nextToken();
                 identity.addRole(role);
            }
            return true;
    }
    else return false;
}

I guess I have something to do before returning true to integrate Seam identity and EJB security context. I saw there's a authenticate method in org.jboss.seam.security.Identity class, waiting for a javax.security.auth.login.LoginContext parameter. Is it the method I should use ? And where can I retrieve this login context ?

Thanks in advance for your help ;)

1. Re: Seam and security context

shane.bryzak Apr 28, 2008 3:23 PM (in response to chawax)

Seam Security doesn't integrate with container security (although there are some issues in JIRA to address this, with JBossAS at least). Can you not use the security interceptor though that Seam provides? If you want to use your own you can, however you'll be missing out on many of the features provided by Seam Security.

Anyways back on topic, to get the Principal simply call Identity.instance().getPrincipal().
Actions
2. Re: Seam and security context

chawax Apr 28, 2008 3:38 PM (in response to chawax)

I am a newbie with these security features, so maybe I misunderstood something. But when I read in the manual about security

The authentication features provided by Seam Security are built upon JAAS (Java Authentication and Authorization
Service)

I thougt that when you authenticate to Seam with authenticator component, you authenticate to JAAS and so on to the container. Am I wrong ?

About using Seam interceptors, I hardly can do this because my Seam components rely on EJB3 jars that can be used in non Seam applications too. So the security needs to be handled by interceptors bundled with EJB3 jar. So I really need to authenticate to container when I authenticate in Seam. If this is something not supported by Seam, do you see a way to do this ?
Actions
3. Re: Seam and security context

shane.bryzak Apr 28, 2008 4:02 PM (in response to chawax)

JAAS is simply an API (a well designed one, which is why we use it) that Seam uses for authentication, and is a different thing to container security (which generally makes use of JAAS also).

As I mentioned, we don't support container integration as yet, and although it is on the drawing board it doesn't currently have a high priority though as it is an application server-specific feature, and as such isn't portable across containers.

If you absolutely must use container security then I'd probably recommend that you use a ServletFilter to set up and tear down the security context for each request.
Actions
4. Re: Seam and security context

chawax Apr 28, 2008 6:07 PM (in response to chawax)

Well, I wonder if we understood well each other ... What I need is not, I think, application server specific, but full JAAS. So I'll try to be more clear, sorry if what I said was a bit confusing.

My application is built of Seam components that rely on a business layer made of EJB3 SLSB components (injected thanks to javax.ejb.EJB annotation) bundled in a JAR added as a library to my application. These EJB3 components are secured thanks to an interceptor that implements home made authorization controls (role based authorization is not enough for us). Of course, to run these controls, I need to know the current user. And so I need to know who was the current user that runned the Seam component that called the EJB3 component, given that this user was authenticated thanks to authenticator.login method.

For what I understood with JAAS, authentication is made by a login module (Seam has its own) that puts a Principal object in a LoginContext object. Then you can call the getCallerPrincipal method on SessionContext injected object and it will return the principal from the LoginContext. If Seam uses JAAS to authenticate, it means that it puts a Principal in LoginContext, doesn't it ? So I can't understand why there is no way to retrieve this principal and what is application server specific there. Can you tell me where I'm wrong ?

Actually, if what I try to do is not possible, how do you do to use secured EJB3 session beans from a Seam component ?
Actions
5. Re: Seam and security context

shane.bryzak Apr 29, 2008 1:56 AM (in response to chawax)

For what I understood with JAAS, authentication is made by a login module (Seam has its own) that puts a Principal object in a LoginContext object. Then you can call the getCallerPrincipal method on SessionContext injected object and it will return the principal from the LoginContext. If Seam uses JAAS to authenticate, it means that it puts a Principal in LoginContext, doesn't it ? So I can't understand why there is no way to retrieve this principal and what is application server specific there. Can you tell me where I'm wrong ?

Actually, if what I try to do is not possible, how do you do to use secured EJB3 session beans from a Seam component ?

The LoginContext is temporary, it only survives to the end of the authentication call, and doesn't place anything into SessionContext. If you want to use EJB security then I'm afraid you'll need to do it the traditional way, at least until Seam Security supports container integration.
Actions
6. Re: Seam and security context

skajotde Apr 29, 2008 9:21 AM (in response to chawax)

Shane Bryzak wrote on Apr 29, 2008 01:56 AM:

The LoginContext is temporary, it only survives to the end of the authentication call, and doesn't place anything into SessionContext. If you want to use EJB security then I'm afraid you'll need to do it the traditional way, at least until Seam Security supports container integration.

I would too using security at ejb level. It's to me a natural way autorize businness layer not ui. You wrote traditional way, it means on servlet filters? Can you give any example with seam? ;)

Thanks ;)
Kamil
Actions
7. Re: Seam and security context

chawax Apr 29, 2008 10:09 AM (in response to chawax)

The LoginContext is temporary, it only survives to the end of the authentication call, and doesn't place anything into SessionContext.

Does it mean you have to authenticate with JAAS before any EJB call ?
Actions
8. Re: Seam and security context

shane.bryzak Apr 29, 2008 10:28 AM (in response to chawax)

By traditional I meant using container security, i.e. not Seam Security.
Actions
9. Re: Seam and security context

shane.bryzak Apr 29, 2008 10:35 AM (in response to chawax)

Not exactly, JBoss Security supports the notion of an authentication cache that allows subsequent invocations to use a previously successful login. This is described in the JBoss Security docs at http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html, and some other reading that may also be useful is the JBossSX wiki at http://wiki.jboss.org/wiki/JBossSX.
Actions
10. Re: Seam and security context

chawax Apr 29, 2008 10:42 AM (in response to chawax)

OK. So when you were talking about application servers specific features, it was about the way a successful login can be propagated to different EJB calls ? This is partly what JbossSX does ?
Actions

11. Re: Seam and security context

skajotde Apr 29, 2008 1:59 PM (in response to chawax)

Olivier Thierry wrote on Apr 28, 2008 02:29 PM:

I wrote an authenticator Seam component, with this authenticate method :
public boolean authenticate()
        throws java.lang.Exception
{
    String username = Identity.instance()getUsername();
    String password = Identity.instance().getPassword();
...
            return true;
    }
    else return false;
}
I guess I have something to do before returning true to integrate Seam identity and EJB security context.

I think this sould be solution (specific to jboss)

Configuration.setConfiguration(new Configuration {
    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {                        
        Map<String, String> properties = new HashMap<String, String>();
        properties.put("restore-login-identity", "true");
        properties.put("multi-threaded", "true");
        String module = "org.jboss.security.ClientLoginModule";
        AppConfigurationEntry ace = new AppConfigurationEntry(module,
            AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, properties);         
        return new AppConfigurationEntry[] { ace } ;
    }
    public void refresh() { 
    }       
}
CallbackHandler handler = new JAASCallbackHandler(username, password);
LoginContext ctx = new LoginContext("domain-app", handler);
ctx.login();

Domain domain-app must be declared in $JBServer/conf/login-config.xml.

12. Re: Seam and security context

chawax Apr 29, 2008 2:04 PM (in response to chawax)

Thanks Kamil. Where do you paste this piece of code ?
Actions
13. Re: Seam and security context

skajotde Apr 29, 2008 2:13 PM (in response to chawax)

As you wrote:

I guess I have something to do before returning true
Actions
14. Re: Seam and security context

chawax Apr 29, 2008 2:17 PM (in response to chawax)

I can't make it compile ... Do you need to add any jar to the project ? Or maybe it works with a specific JBoss version (I work with 4.2.0.GA one)
Actions

1 2 Previous Next

Go to original post