12 Replies Latest reply on Nov 19, 2009 3:29 PM by dklan

How to use token-based Remember-me Authentication?

mikko_lehtinen Oct 9, 2008 1:53 PM

Is there going to be an example on how to use to use token-based Remember-me Authentication? I've done everything according to Chapter 15.3.5.1. and tokens are saved in the database, but automatic login isn't happening.

1. Re: How to use token-based Remember-me Authentication?

mikko_lehtinen Oct 10, 2008 12:47 PM (in response to mikko_lehtinen)

I've been trying to debug this by overriding RememberMe and it seems that initCredentials() inits the credentials successfully, but quietLogin() doesn't get called at all. Any hints on what I may be doing wrong?
Actions
2. Re: How to use token-based Remember-me Authentication?

shane.bryzak Oct 10, 2008 2:42 PM (in response to mikko_lehtinen)

Raise a task in JIRA and I'll add an example of token-based remember-me to one of the Seam examples.
Actions
3. Re: How to use token-based Remember-me Authentication?

mikko_lehtinen Oct 13, 2008 1:23 PM (in response to mikko_lehtinen)

Okay, I got it working by modifying SeamSpace example. I'm still out of luck in my own project. It's quite difficult to debug where the problem is.
Actions
4. Re: How to use token-based Remember-me Authentication?

stefanotravelli Oct 13, 2008 2:48 PM (in response to mikko_lehtinen)

I think the problem is related to changes for JBSEAM-3422.

I filed this issue about that: JBSEAM-3549
Actions
5. Re: How to use token-based Remember-me Authentication?

stefanotravelli Oct 13, 2008 2:53 PM (in response to mikko_lehtinen)
Forgot to mention that, as a workaround or maybe as a solution to be documented, you can add a call to #{identity.tryLogin() in response of the org.jboss.seam.security.notLoggedIn event:

<event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}"/> <action execute="#{identity.tryLogin()}"/> </event> <event type="org.jboss.seam.security.loginSuccessful"> <action execute="#{redirect.returnToCapturedView}"/> </event>
Actions
6. Re: How to use token-based Remember-me Authentication?

mikko_lehtinen Oct 14, 2008 11:02 AM (in response to mikko_lehtinen)

Thanks for the tip Stefano. It seems to fix the autologin now, but Credentials are lost somewhere. Trying to print #{credentials.username} gives null. Actually that happens with SeamSpace example too.
Actions
7. Re: How to use token-based Remember-me Authentication?

stefanotravelli Oct 14, 2008 12:52 PM (in response to mikko_lehtinen)
Digging into the code I found that during the autologin cycle the Identity component is unauthenticated in order to clear any role membership.
Also, credentials get cleared. That's why #{credentials.username} gives null.

I think this is for some security protection. We'd need a comment from Shane about this.

If you need the username, you can get it from the Principal in the Identity component:

Identity.instance().getPrincipal().getName();

Hope this helps
Actions
8. Re: How to use token-based Remember-me Authentication?

shane.bryzak Oct 14, 2008 1:11 PM (in response to mikko_lehtinen)

In the case of auto-login, the credentials are really the token cookie value that has been presented by the web browser. As Stefano said, if you want to know what the username is then use Identity.instance().getPrincipal().getName().
Actions
9. Re: How to use token-based Remember-me Authentication?

mikko_lehtinen Mar 5, 2009 1:12 PM (in response to mikko_lehtinen)
I finally had time to take a look at this. It definitely seems that autologin doesn't work in all cases. I created a sample application with seam-gen and did the changes in Seam Guide.

And yes I added this to components.xml:

<event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}"/> <action execute="#{identity.tryLogin()}"/> </event>

I created two pages:

<page view-id="/home.xhtml" > </page> <page view-id="/test.xhtml" login-required="true"> </page>

Autologin only works from test.seam. Apparently identity.tryLogin() isn't called if login is not required.

The complete sample application is available at Github
Actions
10. Re: How to use token-based Remember-me Authentication?

mikko_lehtinen Apr 5, 2009 5:45 PM (in response to mikko_lehtinen)

Nobody else having the same problem?
Actions

11. Re: How to use token-based Remember-me Authentication?

dklan Nov 19, 2009 3:18 PM (in response to mikko_lehtinen)

I used this way:

In components.xml

<security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/>

In login.page.xml header:

<page xmlns="http://jboss.com/products/seam/pages"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.1.xsd"
      action="#{authenticator.checkIfLoogedIn}">

In login.page.xml body:

 <navigation from-action="#{identity.login}">
      <rule if="#{identity.loggedIn}">
         <redirect view-id="/home.xhtml"/>
      </rule>
   </navigation>
   
   <navigation from-action="#{authenticator.checkIfLoogedIn}">
      <rule if="#{identity.loggedIn}">
         <redirect view-id="/home.xhtml"/>
      </rule>
   </navigation>

And in Authenticator.java

  public void checkIfLoogedIn() {
        
    }

This last method, is a dummy method. If you want, you could add a log for see the process on the debug console. In my case, if user close the tab or close the browser having a started session, the application redirect him to user home page (In my case, the main menu). I test this way in Firefox 3.0 and IE 7.0.

I hope that helps.

12. Re: How to use token-based Remember-me Authentication?

dklan Nov 19, 2009 3:29 PM (in response to mikko_lehtinen)

Oh, I had forgetted it. I'm based my solution on this page : My Link
Actions

Go to original post