3 Replies Latest reply on Feb 15, 2014 5:32 AM by pjotrovsky

How to Implement Application ONLY authentication

aafritz Feb 11, 2014 6:59 PM

Previously in JBoss+Seam it was possibly to totally bypass the complicated and unnecessary in the context container managed security mechanism via the Identity bean/object plus a couple custom bean/logic classes and <security:identity authenticate-method="#{loginBean.login}"/> in components.xml. Clear and simple java code then handled application specific logic (like ensuring the client was paid up) and decided if they could log in. Simple and effective and totally flexible.

I'm writing a new app in Wildfly for a new project and have no desire to complicate life with Seam. How, with Wildfly + JSF can I manage my own logins WITHOUT using container managed security?

My app does NOT need to share credentials with other apps running on the server (nor will any other app ever run on the server, period). The app must have its own full featured user management and needs features not possible (as far as I can tell) in the JDBCWhateverLoginSecurityWidgitDoDad... Implementing my own security adapter seems far to complicated and convoluted especially since I do not need it. I just want to insert the needed information into the session so that the frameworks can use the built in hasRole and isLoggedIn methods, so the security-contraints in web.xml work and related annotations and tags work. All of this should rely on something in the session, but it is not documented anywhere I can find.

I've scowered the documentation and I find no references to this even though it seems like a day zero feature for anyone writing a standalone app needs (others have noted that this huge gaping hole in the java EE spec also)...

1. Re: How to Implement Application ONLY authentication

sfcoy Feb 11, 2014 7:45 PM (in response to aafritz)

This question may be easier to answer if you can give us a better idea of your requirements (i.e. "features not possible").
Actions
2. Re: How to Implement Application ONLY authentication

aafritz Feb 11, 2014 8:00 PM (in response to sfcoy)

1) I am using credentials that are more complicated than username+password and want the flexibility to arbitrarily alter them without the complication of container managed security. I also need features like the ability to add roles at runtime not in the database (Ex: SuperUser automatically results in the users having every role queried and added to their role list among other things). There are other features likely needed but it is hard to say what those are this early.

2) I know that the container managed security isn't appropriate for this application (It don't need any of the features it provides aside from checking credentials which is a trivially simple task that shouldn't need that much overhead). What used to be easily possible with Seam is totally missing... I need the system to call a method I specify that returns a Boolean true or false if the user authenticated. That method (that I implement) will do the actual check of the credentials and manipulate the roles as needed.

This is my 5th large app... The first to hit this wall because this basic feature was provided by Seam.
Actions
3. Re: How to Implement Application ONLY authentication

pjotrovsky Feb 15, 2014 5:32 AM (in response to aafritz)

Hi, if you want to stick to the seam-like authentication/authorization model, may be this can be suitable for you:
http://docs.jboss.org/picketlink/2/latest/reference/html/ch02.html#d5e197
Look at:
https://github.com/wildfly/quickstart/tree/master/picketlink-authentication-idm-jsf
and
https://github.com/wildfly/quickstart/tree/master/servlet-security

Just a hint to get you an idea, if you dont want to dive deep into cont. security:
https://docs.jboss.org/author/display/WFLY8/Security+Realms
Actions

Go to original post