9 Replies Latest reply on Mar 18, 2009 6:29 PM by jeckhart

Seam 2.1GA + plain J2EE security: userPrinicpal is null..

titou09 Oct 23, 2008 9:02 PM

Is it possible to use plain J2EE security with seam v2.1.0GA?

Our application is deployed in WebSphere v6.1.0.17 with plain old POJOs and Hibernate (ie, no EJB3 nor JPA)

The J2EE security is active. Any user has to logon to access the app.

We have a servlet filter that perform some logic and uses the httpServletRequest.getUserPrincipal() method to retrive the userid of the connected user

Everything was working fine until we migrate to seam v2.1.0GA
Now, with v2.1.0GA, the httpServletRequest.getUserPrincipal() in our filter servlet always return null

Any clue?

1. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

xnejp03.pnejedly.ondemand.co.uk Oct 24, 2008 12:34 PM (in response to titou09)
I'd like to know about this too. Something like this:

@In UserPrincipal principal;

is not working. It is because the http request is wrapped in IdentityRequestWrapper (in IdentityFilter) and its getUserPrincipal() method is reading principal variable on Identity component.

Is there a way of disabling Seam's Identity management altogether, in order not to wrap the request? Or is there another solution (e.g. configuring Identity component to work the same way Seam worked in pre 2.1 )?

Many thanks,

Petr
Actions

2. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

xnejp03.pnejedly.ondemand.co.uk Oct 24, 2008 1:55 PM (in response to titou09)

I made it work by extending IdentityFilter component and using it instead of the built-in one.

@Scope(ScopeType.APPLICATION)
@Name("org.jboss.seam.web.identityFilter")
@BypassInterceptors
@Filter(within = {"org.jboss.seam.web.multipartFilter"})
public class IdentityFilter extends AbstractFilter {

   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException {  
       
      chain.doFilter(request, response);
      
   }
}

<component name="org.jboss.seam.web.identityFilter" class="mypackage.IdentityFilter" 
precedence="20" startupDepends="org.jboss.seam.security.identity"/>

Is this going to break anything if I don't want to use Seam's Identity management?

3. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

shane.bryzak Oct 24, 2008 4:31 PM (in response to titou09)

You are not forced to use Seam Security if you don't want to - Seam is all about choice :) I'm quite certain that Seam Security won't interfere if you want to use plain EJB security, however if you come across any issues with security breakage because of it please raise it here on the forums.
Actions
4. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

titou09 Oct 24, 2008 5:09 PM (in response to titou09)

JIRA JBSEAM-3629 created
(Petr, I copy/pastedd some of your sentences)
Actions
5. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

titou09 Oct 27, 2008 5:47 PM (in response to titou09)

Petr,
I found another (better?)(official?) workaround.
Add

<web:identity-filter disabled="true" />

in components.xml

I don't know if this is officialy the correct way to use seam v2.1GA with plain J2EE security

Shane,
If this is the correct way to use seam v2.1.0GA with plain J2EE security, then please add this to the migration guide and also to the documentation, if so I'll downgrade the opened JIRA
If not, then please check the JIRA
Actions
6. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

xnejp03.pnejedly.ondemand.co.uk Oct 27, 2008 7:39 PM (in response to titou09)

Brilliant, Denis. Thanks.
Actions
7. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

eirirlar Nov 14, 2008 1:57 PM (in response to titou09)
I've deployed on Tomcat 6 and have the same issue when installing the seam filter. The following always return null:

facesContext.getExternalContext().getUserPrincipal()

1 to get this fixed asap :)

I'm rolling back to seam-2.0 for now.
Actions
8. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

shane.bryzak Nov 16, 2008 12:04 AM (in response to titou09)

Did you disable IdentityFilter?
Actions
9. Re: Seam 2.1GA + plain J2EE security: userPrinicpal is null..

jeckhart Mar 18, 2009 6:29 PM (in response to titou09)

Another mechanism to get to the underlying container Principal (ServletRequest.getUserPrincipal()) and username (ServletRequest.getRemoteName()) is to disable Seam security altogether:

ie: In components.xml:
<core:init security-enabled="false" />
Actions

Go to original post

1 to get this fixed asap :)