4 Replies Latest reply on Apr 2, 2007 4:01 PM by bsmithjj

    Seam Security Question - Tomcat Valve



      We have written a custom Tomcat valve-realm implementation that integrates our JBoss servers with a CAS-SSO system. Our valve-realm implementation supplies the Principal to the HttpServletRequest and handles invocations of isUserInRole(String role) on the HttpServletRequest. This eliminates the need for an application-level authentication-authorization system. Our developers simply write security constraints on URL's in web.xml and 'hook into' the SSO system by supplying a Tomcat context.xml file in WEB-INF.

      I've looked at the seam security module - I see that I can specify a 'jaas-config-name' but we're not even using that since the container (via context.xml and web.xml) is now deciding whether or not authentication/authorization is required for a request. My question is how do I make the Identity component simply delegate to the HttpServletRequest for invocations of the isUserInRole()? In looking at the code for Identity, it doesn't seem like this would work out of the box since Identity has its own concept of a Subject...

      Brad Smith

        • 1. Re: Seam Security Question - Tomcat Valve
          Shane Bryzak Master

          I don't think it would be too hard for Seam Security to authenticate against a Tomcat realm - if you create a JIRA issue for this and assign it to me I'll add this functionality when I get a chance.

          • 2. Re: Seam Security Question - Tomcat Valve

            I create issue http://jira.jboss.com/jira/browse/JBSEAM-967. Note that what I'm really asking at the moment, is for away to establish an Identity that uses the HttpServletRequest to obtain the Principal, and check roles.

            Brad Smith

            • 3. Re: Seam Security Question - Tomcat Valve
              Cyril Sochor Newbie

              I need SSO with other old struts application on same server.
              With this class SSO authentication works, but authorization #{s:hasRole('admin')} don't :-(

              @Install(precedence = Install.APPLICATION)
              public class MyIdentity extends Identity {

              public Principal getPrincipal() {
              Principal currentUser = ((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext()
              return currentUser;

              • 4. Re: Seam Security Question - Tomcat Valve

                The problem is that the Seam security model is tightly coupled to a JAAS model of security - i.e. the Subject class and friends. With CAS and our custom Tomcat Valve, the servlet container associates/manages a copy of the authenticated Principal (a.k.a. userPrincipal in Seam) with the HttpServletRequest and in the Valve, it's possible for us to make isUserInRole() work as expected as well. It would be ideal for us if Seam allowed us to provide or override the Principal and roles for a user (and even permissions too but we're not using permissions directly) to the Identity component.

                I would be reluctant to use the approach you show in the previous post because that's sure to be outdated or broken with any future release of Spring - especially since there are JIRA task(s) for the Identity component now.