9 Replies Latest reply on Oct 3, 2007 9:16 AM by Pete Muir

    Security Auto-Login Question

    Craig Barker Newbie

      Hi All,

      I've got a bit of a beginners question I've been struggling with for a few days now. I'm trying to use the new (1.1.6) security features and I must say they are very simple and powerful, great job.

      Unfortunately all examples i've seen so far assume that a user will login to the session with a username/password and then hit the #{identity.login} button/link.

      In my situation I've implemented single sign-on using NTLM authentication against windows credentials, and it works fine. The problem is i'm not sure how to execute the #{identity.login} without the user having to do anything!

      Here's my authenticate object.

      public class Authenticator
       @In Context sessionContext;
       private EntityManager em;
       public boolean authenticate()
       Identity.instance().setUsername(((NtlmPasswordAuthentication) sessionContext.get("NtlmHttpAuth")).getUsername());
       User user = (User) em.createQuery(
       "from User where username = :username")
       .setParameter("username", Identity.instance().getUsername())
       for (Object mem : user.getMemberships())
       return true;
       catch (NoResultException ex)
       return false;

      I'm quite flexible about the final page configuration and am running the packaged version of facelets and icefaces 1.5.3 if that helps.

      I'm abit embarrassed as i've done all the difficult work and I just need this last (seemingly simple) step to get it all polished.

      Many thanks in advance,


        • 1. Re: Security Auto-Login Question
          Fernando Montaño Expert

          In the pages.xml add the page configuration for the first page you want to access (usually login.xhtml or home.html) and execute the login before rendering the page.

          Somthing like:

          <page view-id="/login.xhtml" action="#{identity.login}">
           <navigation from-action="#{identity.login}">
           <rule if="#{identity.loggedIn}">
           <redirect view-id="/home.xhtml"/>

          The above example means:
          When you are trying to access to the page login.xhtml the identity.login action will be executed (same as pressing the button in the page, but without render anything yet), then your authenticator.authenticate method will be called, then if such method returns true, you will be logged in, and the next lines checks if you are logged in using the rule, and if that is true you can redirect the page you want, in this case it is reirecting the home.xhtml (of course already logged in).


          • 2. Re: Security Auto-Login Question
            Craig Barker Newbie

            Excellent that did the trick.


            • 3. Re: Security Auto-Login Question
              Christian Bauer Master

              It would be great if you could post the NTLM part of your solution on the Seam wiki.

              • 4. Re: Security Auto-Login Question
                Jarkko Lietolahti Novice

                What about situation where we just don't know the first Seam page the user is going to hit?

                This is the case in portal environments.

                Just keep hitting the #{identity.login} everytime?

                <page view-id="/*" action="#{identity.login}">

                Or can we use @Factory or smt?

                • 5. Re: Security Auto-Login Question
                  Ben Catherall Newbie


                  "christian.bauer@jboss.com" wrote:
                  It would be great if you could post the NTLM part of your solution on the Seam wiki.

                  Sounds like it could be JCIFS http filter - jcifs.samba.org

                  • 6. Re: Security Auto-Login Question
                    Marc Lustig Newbie

                    We need also NTLM authentication and the configuration is quite apparent.
                    However to me is not clear how to obtain the HTTP-request-headers from my authenticator.autenthicate() EJB3 bean-method in order to call request.getRemoteUser().

                    Seam provides Annotation for @RequestParameter, but I don't see anything like @HttpRequest to inject to javax.servlet.HttpServletRequest

                    any suggestion is appeciated.

                    • 7. Re: Security Auto-Login Question
                      Craig Barker Newbie


                      I will get around to posting this up on the WIKI but the 'day job' is currently taking up more than it's fair share of time. When it all calms down i'll get it done.

                      In answer to your query I use:

                      @In Context sessionContext;
                      ((NtlmPasswordAuthentication) sessionContext.get("NtlmHttpAuth")).getUsername()

                      This allows me to extract the current session user's username, which I then pass off to the real authentication/authorisation code.

                      Hope this helps.


                      • 8. Re: Security Auto-Login Question
                        Marc Lustig Newbie

                        I have no idea how you happen to have the NT-Login-name available in the session. In our configuration the NT-Login is passed as an attribute of the HTTP-request (and availble via request.getRemoteUser()).

                        I am using Seam 2 and I have added the authentication logic in my annotaded authentication class.

                        In components.xml I have configured

                        <security:identity authenticate-method="#{authenticator.authenticate}" />

                        In pages.xml I have the following config:

                        <page view-id="/login.xhtml">
                         <action execute="#{identity.login}"/>
                         <navigation from-action="#{identity.login}">
                         <rule if="#{identity.loggedIn}">
                         <redirect view-id="/main.xhtml"></redirect>
                         <rule if="#{not identity.loggedIn}">
                         <redirect view-id="/loginFailed.xhtml"></redirect>

                        The login.xml page is not existing. It is just a stub.
                        The method identity.login() should be called and itself calling authenticator.authenticate() but it isn't.
                        Any idea why?

                        • 9. Re: Security Auto-Login Question
                          Pete Muir Master

                          There are many discussions on the forum about how to execute auto-login.