4 Replies Latest reply on Oct 28, 2008 3:14 PM by joaobmonteiro

    Automatic logins

    kokice
      Hi there,

      I couldn't come up with a better topic title, but here we go. I'm using the latest Seam, and I have some trouble implementing something.

      What I need to do is implement my own custom login-strategy. In short terms, I need to check if a specific user is logged on through an external system, if so the user is automatically logged in. This is simply done by checking if a specific cookie is there, and contacting a webservice which returns me some values based on this cookie. Pretty basic and straightforward, and this part works FINE. However, I'm having some problems with the Seam lifecycle me thinks. I'm also a Seam-newbie, so bear with me here. :)

      What I did was to add a method to be called when the NotLoggedIn-event is fired:

         <event type="org.jboss.seam.notLoggedIn">
          <action execute="#{authenticator.autoLogin}"/>
          <action execute="#{redirect.captureCurrentView}"/>
         </event>

      This is an idea I got from:

      http://sdudzin.blogspot.com/2007/12/windows-sso-with-jboss-seam.html

      My autoLogin-method is called, I do some custom authentication-stuff, i.e. verifying that the user is logged in through a webservice, and initialize the Credentials- and identity objects by setting necessary values. In other words, these two objects now contain some values.

      Then in my pages.xml:

          <page view-id="*" login-required="true">
              <navigation>
                  <rule if-outcome="home">
                      <redirect view-id="/home.xhtml"/>
                  </rule>
              </navigation>
          </page>

      And here's the funny stuff. Here you also define a login-view-id. So every time I enter my application, my autoLogin-method is called, the Credentials- and Identity-objects are populated, but I still end up at /login.xhtml, where I need to actually press the login-button to login so that the authenticate-method is called. Then I am logged in, and the correct user is shown.

      How do I automate this? I don't want Seam to redirect me to login.xhtml, I want Seam to accept that I'm logged in, but still protect every page!!

      I tried adding: <action execute="#{identity.tryLogin}"/>

      to the NotLoggedIn-event, but still the same. What am I missing here? How can I "bypass" this in the best way?


      Hope I'm making some sense here....

      Thanks in advance!
        • 1. Re: Automatic logins
          joaobmonteiro

          Hi Toni,


          I had a similar problem because I have a component that replaces Seam Identity for SSO. If I understood correctly, you can try this:


          <page view-id="/login.xhtml">
             <navigation>
               <rule if="#{identity.loggedIn}">
                   <redirect view-id="/index.xhtml" />
               </rule>
             </navigation>
          </page>
          



          So, if you are logged Seam redirects to the correct view.


          This scenario also occurs when an user enters directly to login.xhtml.


          I hope it helps.

          • 2. Re: Automatic logins
            kokice

            Joao B. Monteiro wrote on Oct 28, 2008 13:57:


            Hi Toni,

            I had a similar problem because I have a component that replaces Seam Identity for SSO. If I understood correctly, you can try this:

            <page view-id="/login.xhtml">
               <navigation>
                 <rule if="#{identity.loggedIn}">
                     <redirect view-id="/index.xhtml" />
                 </rule>
               </navigation>
            </page>
            



            So, if you are logged Seam redirects to the correct view.

            This scenario also occurs when an user enters directly to login.xhtml.

            I hope it helps.


            Hi Joao,


            thanks for the input. Funny enough I didn't even think of this, but hey, I've only been using Seam for a short time. :)


            I will try this tonight, and come back if I run into problems. Some questions though since you are using SSO as well.


            Did you also go for the same solution with a custom method in the NotLoggedIn-event? Where do you actually call the authenticate-metod, since this has to be done also, or you maybe also went for the identity.tryLogin()-call?


            And finally, what about the login-view-id in pages.xml, should this be removed completely?


            Thanks!

            • 3. Re: Automatic logins
              kokice

              Joao B. Monteiro wrote on Oct 28, 2008 13:57:


              Hi Toni,

              I had a similar problem because I have a component that replaces Seam Identity for SSO. If I understood correctly, you can try this:

              <page view-id="/login.xhtml">
                 <navigation>
                   <rule if="#{identity.loggedIn}">
                       <redirect view-id="/index.xhtml" />
                   </rule>
                 </navigation>
              </page>
              



              So, if you are logged Seam redirects to the correct view.

              This scenario also occurs when an user enters directly to login.xhtml.

              I hope it helps.



              Hi Joao,


              thanks for the input. Funny enough I didn't even think of this, but hey, I've only been using Seam for a short time. :)


              I will try this tonight, and come back if I run into problems. Some questions though since you are using SSO as well.


              Did you also go for the same solution with a custom method in the NotLoggedIn-event? Where do you actually call the authenticate-metod, since this has to be done also, or you maybe also went for the identity.tryLogin()-call?


              And finally, what about the login-view-id in pages.xml, should this be removed completely?


              Thanks!

              • 4. Re: Automatic logins
                joaobmonteiro

                Hi,


                You should maintain login-view-id in pages.xml and also the first rule you mentioned.


                When we developed our SSO solution the ideas from http://sdudzin.blogspot.com/2007/12/windows-sso-with-jboss-seam.html were not available yet. So we decided to extend SeamIdentity component and override the isLoggedIn() and autheticate() methods and it is now part of our security layer. This way, we don't need any extra configuration about wich is the right authenticate() method.


                Our Identity looks like this:


                @Name(value = "org.jboss.seam.security.identity")
                @Scope(value = ScopeType.SESSION)
                public class SegurancaIdentity extends Identity {
                         @Override
                     public boolean isLoggedIn() {
                              //our custom logged in that take care of SSO
                         }
                         @Override
                     public void authenticate() throws LoginException {
                             //our custom method that looks for a Identity manager
                             //wich knows how to authenticate through many identity providers
                         }
                }
                



                Our authenticate method is only called when no other login action occured previously. For example, when a third-part user try to acess our webapps from the internet. When an user is inside our intranet, only isLoggedIn() is called.