4 Replies Latest reply on Mar 6, 2009 7:58 PM by sdgiant

    Seam 2.1.1 Security jaas-config-name and AutoLogin possible?

    sdgiant

      Working on an upgrade from 2.0.2 to 2.1.1, trying to implement autologin with Remember Me, and am running into some problems with the errors.  First the Components.xml


         <security:identity jaas-config-name="nameFromLoginConfig"/>   
         <security:jpa-token-store token-class="mydomain.model.AuthenticationToken"/>
         <security:remember-me mode="autoLogin"/>   




      As you can see, we are using jaas-config-name, which allows us to defer the security setup to the Container (JBoss 4.2.2 in our case.)  The RememberMe functionality is MOSTLY working.  I can debug, see the cookie set, and then retrieved.  However, I get a NullPointerException, here is the relevant stack:



      Caused by: java.lang.NullPointerException at org.jboss.seam.security.management.IdentityManager.isUserEnabled(IdentityManager.java:130)
           at org.jboss.seam.security.RememberMe$1.execute(RememberMe.java:286)
           at org.jboss.seam.security.Identity.runAs(Identity.java:743)
           at org.jboss.seam.security.RunAsOperation.run(RunAsOperation.java:75)
           at org.jboss.seam.security.RememberMe.quietLogin(RememberMe.java:282)




      Looking at the code, it seems a IdentityManager is required.


      new RunAsOperation(true) {
           @Override
           public void execute()
           {        
             if (IdentityManager.instance().isUserEnabled(username))
             {
                userEnabled.value = true;
      
                for (String role : IdentityManager.instance().getImpliedRoles(username))
                {
                roles.add(role);
                }
             }
           }
      }.run();



      It seems like this configuration should be supported based on the Reference docs, but no joy so far.


      So is it possible to still use jaas-config-name and use RememberMe? 


      Do I need to change my Components.xml and set up IdentityStores for each of my servers? 


      Thanks!


      Bill

        • 1. Re: Seam 2.1.1 Security jaas-config-name and AutoLogin possible?
          holmes.j

          Exact same question. Upgrading to 2.1.1 from 2.0.2 and am running into this problem.


          What's the resolution? Do I really get to stub out my own IdentityManager?

          • 2. Re: Seam 2.1.1 Security jaas-config-name and AutoLogin possible?
            sdgiant

            My resolution was to create my own LdapIdentityStore.  I suspect this should really be considered a bug, as you can see from the code an IdentityManager is really required, which means the old JAAS config name setup just won't work.


            I had a surprising number of problems trying to get autologin to work at all... We have it working now, but it involved a number of hacks.  First setup the identitystore, like the example in the Seam codebase:



                <identity-management:ldap-identity-store
                  server-address="60.241.32.50"
                  bind-DN="cn=Manager,dc=bryzak,dc=com"
                  bind-credentials="secret"
                  user-DN-prefix="uid="
                  user-DN-suffix=",ou=Person,dc=bryzak,dc=com"
                  role-DN-prefix="cn="
                  role-DN-suffix=",ou=Roles,dc=bryzak,dc=com"
                  user-context-DN="ou=Person,dc=bryzak,dc=com"
                  role-context-DN="ou=Roles,dc=bryzak,dc=com"
                  user-role-attribute="roles"
                  role-name-attribute="cn"
                  user-object-classes="person,uidObject"
                  enabled-attribute="enabled"
                  />
            



            If you are using Active Directory, you may find a few issues that I can across that forced me to write my own LDAP Identity Store (actually just copy the whole LdapIdentityStore and change a few lines) primarily I couldn't get DN names to work and had to switch to the name@company.local format for authentication.  Wierd, but it worked.


            After that I still had trouble with the auto login working, but then immediately logging out again..  I hacked around that.  Hopefully you don't have that problem, but reply here if you do and I'll try to help.

            • 3. Re: Seam 2.1.1 Security jaas-config-name and AutoLogin possible?
              matteg.gerry.matte.shaw.ca

              I have a problem using LdapIdentityStore because it assumes that roles are attributes of users.  That's not normally the implementation I have observed and it's not the one we use.  Normally Roles are defined as membersOf a group.


              So ..... I am stuck with (possibly) extending the LdapIdentityStore to enable searches for roles to be rooted differently in the Ldap naming heirarchy.


              However, I can not seem to find the source code so that I can extend that code in an intelligent way.


              Can you tell me where to find the source code ?
              Thanks for any tips.


              Currently I am using the JBoss LDAP Realm because it is flexible enough to support a search rootr for roles that is not the same as the search root for users.
              Gerry

              • 4. Re: Seam 2.1.1 Security jaas-config-name and AutoLogin possible?
                sdgiant

                Take a look at the last comment is this post:


                http://www.seamframework.org/Community/CustomIdentityStore


                I don't have my code in front of me, but it was close to the configuration he is using.  As I mentioned above, I hacked it a little, and did not EXTEND LdapIdentityStore, but rather copied and pasted the whole class LdapIdentityStore into a new class, and made changes from there (the annotations in that class didn't work for me, so I used the components.xml version in the post I linked.)


                If I remember right, the reason was that their implementation of LdapIdentityStore had some variables  I wanted to use did not have a getter/setter and were private.  You may be able to extend it, so try that first I suppose.