6 Replies Latest reply on Sep 21, 2012 10:48 AM by ibek

    @RequireAuthentication doesn't work

    ibek

      Hi,

      I have a problem with Authentication in JBoss Errai (2.0.2.Final and 2.1.0-SNAPSHOT). Through ErraiBus.get() I subscribe "LoginClient" but when I call any of secured RPC ... the SecurityChallenge command isn't received. Other commands are received right (SuccessfulAuth, EndSession ...). I use own AuthAdapter and noticed that the isAuthenticated method is not called.

       

      I also tried to set the errai.require_authentication_for_all=true but nothing changed, still the methods are called.

       

      The SecuredServiceImpl has Service and RequireAuthentication annotations.

       

      Thanks, Ivo

        • 1. Re: @RequireAuthentication doesn't work
          ibek

          Does the @RequireAuthentication work for anybody or is it a bug? I would like to figure out what I do wrong otherwise.

           

          Simply I have @Remote SecuredService and its implementation (SecuredServiceImpl with @Service and @RequireAuthentication annotations) and I call it through RPC with injected Caller<SecuredService>. I really don't have any idea what can be wrong except it's a bug.

          • 2. Re: @RequireAuthentication doesn't work
            cbrock

            Can you give me more information on what you're doing? Are you using CDI?

            • 3. Re: @RequireAuthentication doesn't work
              ibek

              Hi Mike,

              sure I can and yes I use CDI.

               

              Here is the current implementation of securedServiceImpl.

               

              @ApplicationScoped

              @Service

              @RequireAuthentication

              public class SecuredServiceImpl implements SecuredService {

               

                  @Inject

                  private Logger _log; // that's provided by Resources with @Produces

                 

                  @Inject

                  private DataManager _dm; // that's stateless bean

                 

                  @Inject

                  private UserService _us; // this is also @Service but without @RequiredAuthentication

                 

                  private RequestDispatcher _dispatcher = ErraiBus.getDispatcher(); // I have plan to use it later but now it isn't.

               

                  methods ... public Data getPrivateData(params) {...}

              }

               

              On the client side I have:

               

              @Inject

              private Caller<SecuredService> securedService;

               

              private void someMethod() {

                 securedService.call(new RemoteCallback<List<Scheme>>() {

                          @Override

                          public void callback(List<Data> response) {

                                  action

                          }

                      }, new ErrorCallback() {

                      @Override

                      public boolean error(Message message, Throwable throwable) {

                         display.error(...);

                         return false;

                     }

                 }).getPrivateData(...);

              }

               

              And that's all, really simple example. All works fine except of the @RequireAuthentication. When the user is not connected, the getPrivateData is also called instead of returning message with SecurityChallenge command to "LoginClient".

              .

              • 4. Re: @RequireAuthentication doesn't work
                cbrock

                So, that is your problem, unfortunately. Our security framework is *only* for our Guice-based server-side framework. We don't currently have a security framework for CDI. In fact, we're not planning on maintaining one ourselves. Instead, we've pointed users to Seam Security, and in the future we will be standardizing on the security framework which comes out of the Apaceh DeltaSpike project.

                • 5. Re: @RequireAuthentication doesn't work
                  ibek

                  Thank you, I will try to do that differently then. Good to know ... maybe I will try to use own interceptor to check the user is authenticated.

                  • 6. Re: @RequireAuthentication doesn't work
                    ibek

                    I confirm that it really works with my own security interceptor. Here is the interceptor that I created:

                     

                    @RequireAuthentication // it's my own annotation with @InterceptorBinding for this interceptor

                    @Interceptor

                    public class SecurityInterceptor implements Serializable {

                     

                              private static final long serialVersionUID = -6545213208008101417L;

                     

                              @Inject

                        MessageBus bus;

                     

                              public SecurityInterceptor() {

                        }

                     

                        @AroundInvoke

                        public Object isAuthenticated(InvocationContext invocationContext)

                            throws Exception {

                     

                            HttpSession session = RpcContext.getHttpSession();

                            if (session != null && check the session that user is authenticated) {

                               return invocationContext.proceed();

                            } else {

                               MessageBuilder.createMessage()

                                .toSubject("LoginClient")

                                .command(SecurityCommands.SecurityChallenge)

                                .getMessage().sendNowWith(bus);

                               return null;

                            }

                        }

                     

                    }

                    1 of 1 people found this helpful