-
1. Re: Seam login problem
Post your pages.xml.
run in debug mode with brkpt in Authenticator class method(s) to be sure what's happening.
-
2. Re: Seam login problem
Here is my pages.xml. The authenticator is not being called at all.
<?xml version="1.0" encoding="UTF-8"?> <pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.2.xsd" no-conversation-view-id="/main.xhtml" login-view-id="/signin.xhtml"> <page view-id="*"> <!--navigation from-action="#{identity.logout}"> <raise-event type="removeLoginCookie"/> <redirect view-id="/main.xhtml"/> </navigation--> <!--action execute="#{authenticator.autoLoginCookie}" if="#{!identity.loggedIn}"/--> <navigation> <!--end-conversation before-redirect="true"/--> <rule if-outcome="home"> <redirect view-id="/home.xhtml"/> </rule> </navigation> </page> <page view-id="/main.xhtml"> <rewrite pattern="/" /> <navigation> <!--end-conversation before-redirect="true"/--> <rule if="#{identity.loggedIn}"> <redirect view-id="/home.xhtml" /> </rule> </navigation> </page> <page view-id="/signin.xhtml"> <!--action execute="#{org.jboss.seam.security.facesSecurityEvents.initCredentialsFromCookie(org.jboss.seam.security.identity)}"/--> <rewrite pattern="/signin" /> <navigation> <!--end-conversation before-redirect="true"/--> <rule if="#{identity.loggedIn}"> <redirect view-id="/home.xhtml"/> </rule> </navigation> </page> <page view-id="/signup.xhtml"> <rewrite pattern="/signup" /> <navigation> <rule if="#{identity.loggedIn}"> <redirect view-id="/home.xhtml"/> </rule> </navigation> </page> <page view-id="/home.xhtml" login-required="true"> <rewrite pattern="/home/{filter}/{page}"/> <rewrite pattern="/home/{filter}"/> <rewrite pattern="/home"/> <param name="filter" /> <param name="page" /> </page> <page view-id="/show.xhtml" login-required="false"> <param name="photoId" required="true"/> </page> <page view-id="/show_user.xhtml" login-required="true"> </page> <page view-id="/settings_general.xhtml" login-required="true"> </page> <page view-id="/settings_personal.xhtml" login-required="true"> </page> <page view-id="/settings_password.xhtml" login-required="true"> </page> <page view-id="/settings_account.xhtml" login-required="true"> </page> <page view-id="/upload.xhtml" login-required="true"> <rewrite pattern="/upload"/> </page> <page view-id="/password.change.xhtml"> <param name="confirmationCode" value="#{changePassword.confirmationCode}"/> </page> <!--page view-id="/mail/error.xhtml" login-required="false"> <action execute="#{error.sendMail}" /> </page> <exception> <end-conversation /> <redirect view-id="/mail/error.xhtml" /> </exception--> </pages> -
3. Re: Seam login problem
For whatever reason (performance optimization?, root of all evil and all) Seam doesn't try to authenticate you if you are already logged in. You can easily use this for privilege escalation: login as user1 (role: USER), then go to the login scren, type 'admin' as the username, whatever password, hit 'Login' and presto: you are admin (role: ADMIN). Maybe there is an official way to change this behaviour, but what I did is just override Identity.authenticate(). Here is the relevant code from Seam's Identity.java:
public synchronized void authenticate() throws LoginException { // If we're already authenticated, then don't authenticate again if (!isLoggedIn() && !credentials.isInvalid()) { principal = null; subject = new Subject(); authenticate( getLoginContext() ); } } -
4. Re: Seam login problem
If that is the case it is a big security issue. However, using your own authenticator implementation it will not do that. I just tried with our app, and it didn't bump the user.
-
5. Re: Seam login problem
2 things:
1) I am not sure if this is security hole related with Seam, since, after all, I explicitly said in my pages.xml:<rule if="#{identity.loggedIn}"> <redirect view-id="/home.xhtml"/> </rule>So I guess Seam simply executes the rule before it ever event has the chance of executing the Authenticator code.
2) Frankly, the real behavior that was good for me: If user is already logged-in and coming tosignin
page, I don't event want to show him signin page and just redirect him to the page that comes after login. In general, I want that if user is LOGGED IN, on every page which is considered to bebefore login
page, the user will simply be directed to the pageafter login
. Has anyone implemented such behavior?Thanks,
Guy -
6. Re: Seam login problem
I have that rule only when you push the login button.
<navigation from-action="#{authenticator.identityLogin}"> <rule if="#{identity.loggedIn and identity.hasRole('officer')}"> <raise-event type="cleanupUserInfo"/> <redirect view-id="/mypage.xhtml" /> </rule>And you can also type in this if you want:
<page view-id="*" login-required="true">
That should be enough. However I have the opposite. I have
<page view-id="*">
and then on each of the folders or pages I have explicitly said login-required true.
<page login-required="true" view-id="/admin/*">
-
7. Re: Seam login problem
Shervin Asgari wrote on Nov 09, 2009 11:32:
If that is the case it is a big security issue. However, using your own authenticator implementation it will not do that. I just tried with our app, and it didn't bump the user.I might've overreacted a bit :) You are right: since it is your authentication method that manages roles, and it is not called, there will be no change in roles. The only thing that changes is the username in the Identity/Credentials component. If rely on that for some reason, you
might be in trouble. At any rate, (apparent) successful login with invalid credentials is a bug, if not in Seam, then in the application.