-
1. Re: NullPointer missing IdentityStore RememberMe Token
jones.kong83.gmail.com Jul 20, 2011 10:37 AM (in response to jones.kong83.gmail.com)This message would be printed, where does he has to find the method. It is not contained in the factories map in the seam.core.Init class.
if ( log.isTraceEnabled() ) log.trace("Seam component not found: " + name);
-
2. Re: NullPointer missing IdentityStore RememberMe Token
jones.kong83.gmail.com Jul 20, 2011 11:26 AM (in response to jones.kong83.gmail.com)Ok, i enabled the JpaIdentityStore in the components.xml it seems i really have to implement my own IdentityStore or at least the lookup method.
-
3. Re: NullPointer missing IdentityStore RememberMe Token
jones.kong83.gmail.com Jul 21, 2011 4:12 PM (in response to jones.kong83.gmail.com)Just to sum up the problems i encountered. The documentation in chapter 15.3.5.1. covers just half of the points that are required.
- RememberMe makes us of the IdentityManager, which itself uses die IdentityStore, which is not enabled by default. So
<component class="org.jboss.seam.security.management.JpaIdentityStore"/> is required.- Further requires the JpaIdentityStore some configuration mentioned in 15.4.2.. But my username was not part of the account object (it was contained in a list in the account object) and my Roles were no entity just an enum (ok that could have been changed). Anyway i skipped the configuration in 15.4.2 and have overwritten the isUserEnabled() and getImpliedRoles methods.
- You should add Identity.tryLogin(), but with tryLogin() a silent Login is triggered which does not raise the LoginSuccessful event. To return to the captured page.
<event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}"/> <action execute="#{identity.tryLogin()}"/> </event> <event type="org.jboss.seam.security.loginSuccessful"> <action execute="#{redirect.returnToCapturedView}"/> </event>
I made my own authenticator.tryLogin() where I call identity.tryLogin() and afterwards i fire the loginSuccessful event. The problem now ist, all this events occur in one row and both, captureCurrentView and returnToCapturedView are doing a redirect where the first one is executed so i get to the signon page. Will check it out tomorrow.
- RememberMe default behavior is to invalidate all tokens of a user if his token does not exist. So everyone can set the cookie with the username of someone else to invalidate all his token.
if (tokenStore.validateToken(decoded.getUsername(), decoded.getValue())) { credentials.setUsername(decoded.getUsername()); credentials.setPassword(decoded.getValue()); } else { // Have we been compromised? Just in case, invalidate all authentication tokens tokenStore.invalidateAll(decoded.getUsername()); }