2 Replies Latest reply on Apr 26, 2016 6:37 PM by johncarl81

    Seam 2.3.1.Final <restrict> with 3rd party authentication

    johncarl81
    johncarl81 Feb 19, 2016 6:47 PM

      We are upgrading our applications to 2.3.1.Final from 2.2.0.GA.  With 2.2.0.GA we follow a 3rd party (J2EE?) authentication model, leveraging a single signon service.  In order to get this to work, we had to disable the identity filter to access the HTTPRequest.getRemoteUser():

      components.xml:

          <web:identity-filter disabled="true"/>

       

      Along with this we have a series of restrictions in the pages.xml file:

          <page view-id="/home.xhtml">

              <restrict>

                  #{user!= null and userAccessAction.isValid()}

              </restrict>

          </page>

       

      With the upgrade to 2.3.1.Final we followed Dan's advice and set security-enabled="false" in the components.xml instead of disabling the identity-filter.  This works well, as we get access to the HTTPRequest.getRemoteUser() method.  The drawback is <restrict/>s no longer function as expected.  Is there a replacement for <restrict> or should we try a different strategy?

       

      Thanks.

        • 1. Re: Seam 2.3.1.Final <restrict> with 3rd party authentication
          vata2999
          vata2999 Feb 20, 2016 12:59 AM (in response to johncarl81)

          By setting security-enabled to false Identity component is almost useless.

          Seam doesn't do any magic for restrictions it only checks a simple boolean which you can get from

           

          Expressions.instance().createValueExpression(expr, Boolean.class).getValue();

           

          unless you are using permissions  which in this case, I think you can create a custom component with permission store to get what you need, then use Seam permissionMapper.

           

          components.xml

           

           <component name="org.jboss.seam.security.persistentPermissionResolver" class="org.jboss.seam.security.permission.PersistentPermissionResolver">
            <property name="permissionStore">#{customPermissionStore}</property>
        </component>

           

          @Name("customPermissionStore")
@Install(value = true)
@Scope(APPLICATION)
@BypassInterceptors
public class CustomPermissionStore extends JpaPermissionStore
{
     ....
}

           

          that's all I know.

            • Actions
          • 2. Re: Seam 2.3.1.Final <restrict> with 3rd party authentication
            johncarl81
            johncarl81 Apr 26, 2016 6:37 PM (in response to vata2999)

            After trying the approach Omid suggested and another technqiue using Prettyfaces to restrict page access, we ended up using Prettyfaces:

             

            Pretty URLs for JavaServer Faces and Java Application Servers | OCPsoft

              • Actions