1 2 Previous Next 21 Replies Latest reply on Feb 1, 2007 5:41 AM by Gavin King

    Advice on Security System

    Michael Singer Newbie

      I know the security in seam is not yet finished but as far as I can not implement my use case. Let me explain:

      On my login form I have 3 inputfields, a username, a password and a domain.

      When the user clicks the login button the system needs to get all loginmodules configured for the given domain and authenticate against them according to the configuration.

      so what I would need is a configuration like this (login-config from jbossAS:

      <application-policy name="internal"> <!-- name is the given domain -->
       <authentication>
       <login-module code="foo.bar.LDAPLoginModule" flag="optional">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://1.2.3.4:389/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="principalDNPrefix">uid=</module-option>
       <module-option name="principalDNSuffix">,ou=User,dc=test2,dc=local</module-option>
       <module-option name="roleName">OpenLDAP</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="optional">
       <module-option name="dsJndiName">java:/LoginDS</module-option>
       <module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
       <module-option name="rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <application-policy name="external">
       <authentication>
       <login-module code="foo.bar.LDAPLoginModule" flag="optional">
       <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
       <module-option name="java.naming.provider.url">ldap://20.30.40.50:389/</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <!--module-option name="principalDNPrefix">uid=</module-option-->
       <module-option name="principalDNSuffix">@test.local</module-option>
       <module-option name="roleName">Active Directory</module-option>
       </login-module>
       <loginmodule class="foo.bar.SeamCustomLoginModule"
       flag="required">
       <option name="paramTypes">
       java.lang.String,java.lang.String,java.lang.String,java.util.Set
       </option>
       <option name="authMethod">
       #{authenticator.authenticate}
       </option>
       </loginmodule>
       </authentication>
       </application-policy>
      
      Please notice that the attribute name in application-policy should match the domain the user selects on the login form and then authentication should be performed against the loginmodules in this application-policy.
      
      Maybe someone can give me a pointer what to extend or how to support such an authentication use case
      
      regards Mike


        • 1. Re: Advice on Security System
          Shane Bryzak Master

          I've made a few changes in the security API to support this now.

          • 2. Re: Advice on Security System
            Michael Singer Newbie

            Thank you very much for this. I am currently testing this and I have the following issue:

            11:08:51,187 ERROR [[/join2learn]] Session attribute event listener threw exception
            java.lang.ClassCastException: org.jboss.seam.security.Identity
             at $javax.servlet.http.HttpSessionActivationListener$$FastClassByCGLIB$$d658c913.invoke(<generated>)
             at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:149)
             at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:89)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:55)
             at org.jboss.seam.interceptors.OutcomeInterceptor.interceptOutcome(OutcomeInterceptor.java:21)
             at sun.reflect.GeneratedMethodAccessor171.invoke(Unknown Source)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
             at java.lang.reflect.Method.invoke(Method.java:585)
             at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
             at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
             at org.jboss.seam.interceptors.RollbackInterceptor.rollbackIfNecessary(RollbackInterceptor.java:29)
             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
             at java.lang.reflect.Method.invoke(Method.java:585)
             at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
             at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
             at org.jboss.seam.interceptors.ConversationInterceptor.endOrBeginLongRunningConversation(ConversationInterceptor.java:52)
             at sun.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
             at java.lang.reflect.Method.invoke(Method.java:585)
             at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
             at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
             at org.jboss.seam.interceptors.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:27)
             at sun.reflect.GeneratedMethodAccessor169.invoke(Unknown Source)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
             at java.lang.reflect.Method.invoke(Method.java:585)
             at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
             at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
             at org.jboss.seam.interceptors.ExceptionInterceptor.handleExceptions(ExceptionInterceptor.java:39)
             at sun.reflect.GeneratedMethodAccessor166.invoke(Unknown Source)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
             at java.lang.reflect.Method.invoke(Method.java:585)
             at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
             at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
             at org.jboss.seam.interceptors.SynchronizationInterceptor.serialize(SynchronizationInterceptor.java:31)
             at sun.reflect.GeneratedMethodAccessor165.invoke(Unknown Source)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
             at java.lang.reflect.Method.invoke(Method.java:585)
             at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
             at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
             at org.jboss.seam.intercept.RootInterceptor.createSeamInvocationContext(RootInterceptor.java:144)
             at org.jboss.seam.intercept.RootInterceptor.invokeInContexts(RootInterceptor.java:129)
             at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:112)
             at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:145)
             at org.jboss.seam.intercept.JavaBeanInterceptor.intercept(JavaBeanInterceptor.java:80)
             at org.jboss.seam.security.Identity$$EnhancerByCGLIB$$dcd6fd12.sessionWillPassivate(<generated>)
             at org.jboss.web.tomcat.tc5.session.ClusteredSession.passivate(ClusteredSession.java:896)
             at org.jboss.web.tomcat.tc5.session.JBossCacheManager.storeSession(JBossCacheManager.java:642)
             at org.jboss.web.tomcat.tc5.session.InstantSnapshotManager.snapshot(InstantSnapshotManager.java:49)
             at org.jboss.web.tomcat.tc5.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:98)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
             at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
             at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
             at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
             at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
             at java.lang.Thread.run(Thread.java:595)
            


            debug.seam message for org.jboss.seam.security.identity:

            callbacks [org.jboss.seam.intercept.JavaBeanInterceptor@17f7411]
            class class org.jboss.seam.security.Identity$$EnhancerByCGLIB$$ae5bb089
            loggedIn false
            principal
            subject Betreff: Principal: mike Principal: roles(members:sysadmin,admin)
            toString() org.jboss.seam.security.Identity@1030eda
            


            and my application policy:

             <application-policy name="test">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
             <module-option name="dsJndiName">java:jdbc/users-ds</module-option>
             <module-option name="principalsQuery">select Password from Principals where PrincipalID=?</module-option>
             <module-option name="rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
             </login-module>
             </authentication>
             </application-policy>
            


            It seems that the authentication process works correctly but I don't know how to find out where this classcast exception is thrown and why.

            The seamspace example works correctly.

            Any hints?

            • 3. Re: Advice on Security System
              Shane Bryzak Master

              I can't tell what's causing the ClassCastException from that stack trace, however the DatabaseServerLoginModule login module that you're using is a JBoss AS-specific login module, and won't work as is with Seam security. The unfortunate truth is that each app server implements security differently, and even though they might all use JAAS, the specification isn't specific enough to ensure compatibility.

              I agree it would be nice to have some kind of layer/adapter that allowed at least the JBoss login modules to be used, however this won't be available in the initial security release. For the time being if you are authenticating against a database I recommend using SeamLoginModule, following the Seamspace example.

              • 4. Re: Advice on Security System
                Michael Singer Newbie

                ok, I figured out that the classcast exception is thrown if I add the

                <distributable/>
                tag to web.xml, this exception is also thrown in the seamspace example if I add this tag (also after I annotate the SFSBs with @Clustered).

                So this is another problem I will focus on later...

                But I noticed that org.jboss.seam.security.Identity is checking the principals against SimplePrincipal and SimpleGroup and not against the Interfaces.

                So I get

                callbacks [org.jboss.seam.intercept.JavaBeanInterceptor@17f7411]
                class class org.jboss.seam.security.Identity$$EnhancerByCGLIB$$ae5bb089
                loggedIn false
                principal
                subject Betreff: Principal: mike Principal: roles(members:sysadmin,admin)
                toString() org.jboss.seam.security.Identity@1030eda
                


                Note that the principal is empty and loggedIn is therefore false.

                I tried to change the methods getPrincipal() and isUserInRole(String role) in Identity.java to check against the Interfaces Group and Principal (instead of SimpleGroup and SimplePrincipal) which resulted in the following Exception in SeamSpace after clicking the login button:

                javax.ejb.EJBException: javax.persistence.NoResultException: No entity found for query
                 at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:69)
                 at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
                 at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.stateful.StatefulInstanceInterceptor.invoke(StatefulInstanceInterceptor.java:83)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.aspects.remoting.ReplicantsManagerInterceptor.invoke(ReplicantsManagerInterceptor.java:51)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
                 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.stateful.StatefulContainer.localInvoke(StatefulContainer.java:203)
                 at org.jboss.ejb3.stateful.StatefulLocalProxy.invoke(StatefulLocalProxy.java:98)
                 at $Proxy171.display(Unknown Source)
                 at org.jboss.seam.example.seamspace.ProfileLocal$$FastClassByCGLIB$$c6d6fe9b.invoke(<generated>)
                 at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:149)
                 at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:89)
                 at org.jboss.seam.intercept.ClientSideInterceptor$1.proceed(ClientSideInterceptor.java:74)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:55)
                 at org.jboss.seam.interceptors.RemoveInterceptor.removeIfNecessary(RemoveInterceptor.java:40)
                 at sun.reflect.GeneratedMethodAccessor217.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                 at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                 at org.jboss.seam.interceptors.ExceptionInterceptor.handleExceptions(ExceptionInterceptor.java:39)
                 at sun.reflect.GeneratedMethodAccessor177.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                 at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                 at org.jboss.seam.intercept.RootInterceptor.createSeamInvocationContext(RootInterceptor.java:144)
                 at org.jboss.seam.intercept.RootInterceptor.invokeInContexts(RootInterceptor.java:129)
                 at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:102)
                 at org.jboss.seam.intercept.ClientSideInterceptor.interceptInvocation(ClientSideInterceptor.java:83)
                 at org.jboss.seam.intercept.ClientSideInterceptor.intercept(ClientSideInterceptor.java:52)
                 at org.jboss.seam.example.seamspace.ProfileLocal$$EnhancerByCGLIB$$81a54d4c.display(<generated>)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                 at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:203)
                 at org.jboss.seam.Component.callComponentMethod(Component.java:1797)
                 at org.jboss.seam.Component.getInstanceFromFactory(Component.java:1684)
                 at org.jboss.seam.Component.getInstance(Component.java:1621)
                 at org.jboss.seam.Component.getInstance(Component.java:1598)
                 at org.jboss.seam.jsf.SeamVariableResolver.resolveVariable(SeamVariableResolver.java:105)
                 at org.apache.myfaces.config.LastVariableResolverInChain.resolveVariable(LastVariableResolverInChain.java:42)
                 at com.sun.facelets.el.LegacyELContext$LegacyELResolver.getValue(LegacyELContext.java:134)
                 at com.sun.el.parser.AstIdentifier.getValue(AstIdentifier.java:65)
                 at com.sun.el.parser.AstEqual.getValue(AstEqual.java:41)
                 at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192)
                 at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
                 at com.sun.facelets.el.LegacyValueBinding.getValue(LegacyValueBinding.java:56)
                 at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:1075)
                 at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:241)
                 at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:249)
                 at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:573)
                 at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:384)
                 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:138)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                 at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:91)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                 at org.jboss.seam.security.filter.SeamSecurityFilter.doFilter(SeamSecurityFilter.java:68)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                 at org.jboss.seam.servlet.SeamRedirectFilter.doFilter(SeamRedirectFilter.java:63)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
                 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
                 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
                 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
                 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                 at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
                 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
                 at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
                 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                 at java.lang.Thread.run(Thread.java:595)
                Caused by: javax.persistence.NoResultException: No entity found for query
                 at org.hibernate.ejb.QueryImpl.getSingleResult(QueryImpl.java:82)
                 at org.jboss.seam.example.seamspace.ProfileAction.display(ProfileAction.java:44)
                 at sun.reflect.GeneratedMethodAccessor228.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
                 at org.jboss.ejb3.cache.StatefulReplicationInterceptor.invoke(StatefulReplicationInterceptor.java:45)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
                 at org.jboss.seam.intercept.EJBInvocationContext.proceed(EJBInvocationContext.java:73)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:55)
                 at org.jboss.seam.interceptors.BijectionInterceptor.bijectNonreentrantComponent(BijectionInterceptor.java:79)
                 at org.jboss.seam.interceptors.BijectionInterceptor.bijectComponent(BijectionInterceptor.java:58)
                 at sun.reflect.GeneratedMethodAccessor215.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                 at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                 at org.jboss.seam.interceptors.OutcomeInterceptor.interceptOutcome(OutcomeInterceptor.java:21)
                 at sun.reflect.GeneratedMethodAccessor180.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                 at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                 at org.jboss.seam.interceptors.ConversationInterceptor.endOrBeginLongRunningConversation(ConversationInterceptor.java:52)
                 at sun.reflect.GeneratedMethodAccessor179.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                 at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                 at org.jboss.seam.interceptors.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:27)
                 at sun.reflect.GeneratedMethodAccessor178.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                 at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                 at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                 at org.jboss.seam.intercept.RootInterceptor.createSeamInvocationContext(RootInterceptor.java:144)
                 at org.jboss.seam.intercept.RootInterceptor.invokeInContexts(RootInterceptor.java:129)
                 at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:102)
                 at org.jboss.seam.intercept.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:50)
                 at sun.reflect.GeneratedMethodAccessor214.invoke(Unknown Source)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:585)
                 at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118)
                 at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.entity.ExtendedPersistenceContextPropagationInterceptor.invoke(ExtendedPersistenceContextPropagationInterceptor.java:57)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:46)
                 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                 at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
                 ... 95 more
                


                The Changed Methods:

                 public Principal getPrincipal()
                 {
                 if (principal == null)
                 {
                 Set<Principal> principals = subject.getPrincipals(Principal.class);
                 if (!principals.isEmpty())
                 principal = principals.iterator().next();
                 }
                
                 return principal;
                 }
                
                 public boolean isUserInRole(String role)
                 {
                 for (Group sg : subject.getPrincipals(Group.class))
                 {
                 if ("roles".equals(sg.getName()))
                 {
                 return sg.isMember(new SimplePrincipal(role));
                 }
                 }
                
                 return false;
                 }
                


                This changes work with the original Jboss DatabaseLoginModule but the SeamSpace example has some problems with it...

                • 5. Re: Advice on Security System
                  Shane Bryzak Master

                  I made the same changes you did to Identity (and committed them to CVS) and the seamspace example still works fine for me. I'm not sure what to suggest, other than putting a breakpoint in Identity.getPrincipal() and checking which principals actually get asserted into the subject as a result of authentication.

                  • 6. Re: Advice on Security System
                    Michael Singer Newbie

                    never mind, since my app is now working and the changes will be committed ;-)

                    Besides that I noticed that SimplePrincipal is not serializable and I got notserializableexceptions during my tests maybe since I am developing for a clustered environment, fyi

                    • 7. Re: Advice on Security System
                      Michael Singer Newbie

                      How did you login the seamspace application?

                      If I try with demo/demo I get this strange exception on profile.seam...
                      If I then go back to home.seam (reload home.seam) I am logged in with demo.

                      If I login with duke/duke everything works

                      fyi

                      • 8. Re: Advice on Security System
                        Shane Bryzak Master

                         

                        "mikepkp17" wrote:

                        Besides that I noticed that SimplePrincipal is not serializable and I got notserializableexceptions during my tests maybe since I am developing for a clustered environment, fyi


                        That was an oversight on my part, it's now Serializable.

                        • 9. Re: Advice on Security System
                          Shane Bryzak Master

                           

                          "mikepkp17" wrote:
                          How did you login the seamspace application?

                          If I try with demo/demo I get this strange exception on profile.seam...
                          If I then go back to home.seam (reload home.seam) I am logged in with demo.

                          If I login with duke/duke everything works

                          fyi


                          I just used demo/demo. Do you have all the latest code from CVS?

                          • 10. Re: Advice on Security System
                            Michael Singer Newbie

                            Yes I do, I also deleted the data folder where I think the hsqldb stuff is in (?) and also deleted tmp and work folder...

                            The only thing is that I run a JBoss 4.0.5.GA clustered environment, but I don't see if this might be a problem somehow but as I stated earlier the distributed tag in web.xml does make some problems...

                            I also checked the table entries with the hsqldb manager app and couldn't see any differences between dukes and demos entries.

                            So if I have some time tomorrow I will deploy seamspace on a clean jboss cluster environment and let you know if it works then...

                            • 11. Re: Advice on Security System
                              Michael Singer Newbie

                              Hm, I did the test now since this issue makes me curious ;-)

                              1. I checked out the latest head from cvs
                              2. I downloaded latest jems installer, jems-installer-1.2.0.GA.jar
                              3. I installed the ejb3 configuration and did no customizations
                              4. got to console into seam checkout folder and ran "ant clean" followed by "ant" to build seam
                              5. got to console into seamspace folder and ran "ant clean" followed by "ant" to build and deploy seamspace
                              6. started jboss
                              7. got to seamspace website
                              8. tried to log in with demo/demo --> Exception

                              javax.ejb.EJBException: javax.persistence.NoResultException: No entity found for query
                               at org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:69)
                               at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:83)
                               at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:191)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.ejb3.stateful.StatefulInstanceInterceptor.invoke(StatefulInstanceInterceptor.java:83)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
                               at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:102)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.ejb3.stateful.StatefulContainer.localInvoke(StatefulContainer.java:203)
                               at org.jboss.ejb3.stateful.StatefulLocalProxy.invoke(StatefulLocalProxy.java:98)
                               at $Proxy118.display(Unknown Source)
                               at org.jboss.seam.example.seamspace.ProfileLocal$$FastClassByCGLIB$$c6d6fe9b.invoke(<generated>)
                               at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:149)
                               at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:89)
                               at org.jboss.seam.intercept.ClientSideInterceptor$1.proceed(ClientSideInterceptor.java:74)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:55)
                               at org.jboss.seam.interceptors.RemoveInterceptor.removeIfNecessary(RemoveInterceptor.java:40)
                               at sun.reflect.GeneratedMethodAccessor159.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                               at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                               at org.jboss.seam.interceptors.ExceptionInterceptor.handleExceptions(ExceptionInterceptor.java:39)
                               at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                               at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                               at org.jboss.seam.intercept.RootInterceptor.createSeamInvocationContext(RootInterceptor.java:144)
                               at org.jboss.seam.intercept.RootInterceptor.invokeInContexts(RootInterceptor.java:129)
                               at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:102)
                               at org.jboss.seam.intercept.ClientSideInterceptor.interceptInvocation(ClientSideInterceptor.java:83)
                               at org.jboss.seam.intercept.ClientSideInterceptor.intercept(ClientSideInterceptor.java:52)
                               at org.jboss.seam.example.seamspace.ProfileLocal$$EnhancerByCGLIB$$e6a28e51.display(<generated>)
                               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                               at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:203)
                               at org.jboss.seam.Component.callComponentMethod(Component.java:1797)
                               at org.jboss.seam.Component.getInstanceFromFactory(Component.java:1684)
                               at org.jboss.seam.Component.getInstance(Component.java:1621)
                               at org.jboss.seam.Component.getInstance(Component.java:1598)
                               at org.jboss.seam.jsf.SeamVariableResolver.resolveVariable(SeamVariableResolver.java:105)
                               at org.apache.myfaces.config.LastVariableResolverInChain.resolveVariable(LastVariableResolverInChain.java:42)
                               at com.sun.facelets.el.LegacyELContext$LegacyELResolver.getValue(LegacyELContext.java:134)
                               at com.sun.el.parser.AstIdentifier.getValue(AstIdentifier.java:65)
                               at com.sun.el.parser.AstEqual.getValue(AstEqual.java:41)
                               at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192)
                               at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
                               at com.sun.facelets.el.LegacyValueBinding.getValue(LegacyValueBinding.java:56)
                               at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:1075)
                               at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:241)
                               at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:249)
                               at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:573)
                               at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:384)
                               at javax.faces.webapp.FacesServlet.service(FacesServlet.java:138)
                               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
                               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                               at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:91)
                               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                               at org.jboss.seam.security.filter.SeamSecurityFilter.doFilter(SeamSecurityFilter.java:68)
                               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                               at org.jboss.seam.servlet.SeamRedirectFilter.doFilter(SeamRedirectFilter.java:63)
                               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                               at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                               at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
                               at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
                               at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
                               at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
                               at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                               at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                               at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
                               at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                               at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                               at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
                               at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
                               at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                               at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                               at java.lang.Thread.run(Thread.java:595)
                              Caused by: javax.persistence.NoResultException: No entity found for query
                               at org.hibernate.ejb.QueryImpl.getSingleResult(QueryImpl.java:82)
                               at org.jboss.seam.example.seamspace.ProfileAction.display(ProfileAction.java:42)
                               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
                               at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
                               at org.jboss.seam.intercept.EJBInvocationContext.proceed(EJBInvocationContext.java:73)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:55)
                               at org.jboss.seam.interceptors.BijectionInterceptor.bijectNonreentrantComponent(BijectionInterceptor.java:79)
                               at org.jboss.seam.interceptors.BijectionInterceptor.bijectComponent(BijectionInterceptor.java:58)
                               at sun.reflect.GeneratedMethodAccessor157.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                               at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                               at org.jboss.seam.interceptors.OutcomeInterceptor.interceptOutcome(OutcomeInterceptor.java:21)
                               at sun.reflect.GeneratedMethodAccessor123.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                               at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                               at org.jboss.seam.interceptors.ConversationInterceptor.endOrBeginLongRunningConversation(ConversationInterceptor.java:52)
                               at sun.reflect.GeneratedMethodAccessor122.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                               at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                               at org.jboss.seam.interceptors.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:27)
                               at sun.reflect.GeneratedMethodAccessor121.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.seam.util.Reflections.invoke(Reflections.java:35)
                               at org.jboss.seam.intercept.Interceptor.aroundInvoke(Interceptor.java:337)
                               at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:64)
                               at org.jboss.seam.intercept.RootInterceptor.createSeamInvocationContext(RootInterceptor.java:144)
                               at org.jboss.seam.intercept.RootInterceptor.invokeInContexts(RootInterceptor.java:129)
                               at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:102)
                               at org.jboss.seam.intercept.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:50)
                               at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:585)
                               at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118)
                               at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.ejb3.entity.ExtendedPersistenceContextPropagationInterceptor.invoke(ExtendedPersistenceContextPropagationInterceptor.java:57)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:46)
                               at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                               at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
                               ... 93 more
                              


                              9. hit the browser back button to go back to login page
                              10. hit F5 on keyboard to reload the page --> demo is logged in an I can use everything as normal
                              11. clicked logout link
                              12. entered duke/duke in login form and clicke login
                              13. duke is logged in without any exception

                              I'm on a Windows XP machine running JBoss4.0.5.GA with a brandnew absolutely untouched ejb3 configuration installed by latest JEMS-installer.

                              Funny, isn't it?

                              • 12. Re: Advice on Security System
                                Shane Bryzak Master

                                I tried again, running ant clean first then logging in with demo/demo, still no exception. I've since changed ProfileAction so that it doesn't use the Principal name in the query, so if you want to try this latest version from CVS it should now work for you.

                                • 13. Re: Advice on Security System
                                  Michael Singer Newbie

                                  Yep, it is working now, well done, the whole security framework is really great work, thank you

                                  • 14. Re: Advice on Security System
                                    Pete Muir Master

                                    Some experiences from integrating the Security Framework into a couple of apps.

                                    1) If security components aren't configured in components.xml (but the servlet filter has been added)

                                    java.lang.NullPointerException
                                     at org.jboss.seam.security.filter.SeamSecurityFilter.checkSecurityConstraints(SeamSecurityFilter.java:82)
                                     at org.jboss.seam.security.filter.SeamSecurityFilter.doFilter(SeamSecurityFilter.java:64)
                                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                                     at org.jboss.seam.servlet.SeamRedirectFilter.doFilter(SeamRedirectFilter.java:32)
                                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                                     at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46)
                                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                                     at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                                     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
                                     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
                                     at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
                                     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
                                     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                                     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                                     at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
                                     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                                     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                                     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
                                     at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
                                     at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                                     at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                                     at java.lang.Thread.run()V(Unknown Source)


                                    2) If an empty security constraint element is specified
                                    <security-constraint></security-constraint>
                                    then an NPE is thrown (sorry, I don't have the trace to hand)

                                    3) +1 for being able to specify 'web-resource-collection' restraints in pages.xml (or have I missed this)

                                    4) If the user is not logged in, and requests a secured page, they get redirected to the securityError.seam page. On this page I have a login box, the user can log in. It would be good if the login is successful, for the user to be redirected to the originally requested page. Is this currently possible (and I've broken something ;) ?

                                    Looking good :)

                                    1 2 Previous Next