3 Replies Latest reply on Mar 28, 2007 11:43 AM by Fady Matar

    JAAS login with JBoss Seam

    Fady Matar Novice

      I have completely migrated a previous application to JBoss Seam.
      Now I'm left with only one feature which is authentication.

      In the previous application I used Active Directory to login, now according to the documentation, if you wish to use your container's JAAS configuration all you need to do is point it out in your components.xml as follows:

       <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="myJaasRealm" remember-me="true" />
      


      Is this the only requirement? What about the login page? Nothing needs to be changed in there? My previous page used the j_form, j_username and j_password fields, can I use the generated login page to do that?


        • 1. Re: JAAS login with JBoss Seam
          Mark Jones Newbie

          It might be true now but I had configuration hell...


          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd">
          
          <jboss-web>
          
           <security-domain>java:/jaas/fooSecurityPolicy</security-domain>
          
           <!-- Resource Environment References -->
          
           <!-- Resource references -->
          
           <!-- EJB References -->
          
          </jboss-web>
          
          <?xml version='1.0'?>
          <!DOCTYPE policy PUBLIC
           "-//JBoss//DTD JBOSS Security Config 3.0//EN"
           "http://www.jboss.org/j2ee/dtd/security_config.dtd">
          <policy>
           <application-policy name="fooSecurityPolicy">
           <authentication>
           <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
           <module-option name="dsJndiName">
           java:/fooDatasource
           </module-option>
           <module-option name="principalsQuery">
           SELECT password FROM user WHERE userId=?;
           </module-option>
           <module-option name="rolesQuery">
           SELECT role, 'Roles' FROM role r
           INNER JOIN user u ON u.userID = r.userID
           WHERE u.userId=?
           </module-option>
           <module-option name="ignorePasswordCase">true</module-option>
           <module-option name="hashCharset">UTF-8</module-option>
           <module-option name="hashEncoding">hex</module-option>
           <module-option name="hashAlgorithm">MD5</module-option>
           </login-module>
           </authentication>
           </application-policy>
          </policy>
          
          <?xml version="1.0" encoding="UTF-8"?>
          <server>
           <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
           name="foo:service=DynamicLoginConfig">
           <attribute name="AuthConfig">foo-login-config.xml</attribute>
           <depends optional-attribute-name="LoginConfigService">
           jboss.security:service=XMLLoginConfig
           </depends>
           <depends optional-attribute-name="SecurityManagerService">
           jboss.security:service=JaasSecurityManager
           </depends>
           </mbean>
          </server>
          
          <security-constraint>
           <web-resource-collection>
           <web-resource-name>Secure Area</web-resource-name>
           <description>Security for Protected Pages</description>
           <url-pattern>/secure/*</url-pattern>
           <http-method>POST</http-method>
           <http-method>GET</http-method>
           </web-resource-collection>
           <auth-constraint>
           <description>Only valid users can use the secure resources</description>
           <role-name>fooUser</role-name>
           </auth-constraint>
           <user-data-constraint>
           <transport-guarantee>NONE</transport-guarantee>
           </user-data-constraint>
           </security-constraint>
          
           <security-constraint>
           <web-resource-collection>
           <web-resource-name>Admin Area</web-resource-name>
           <description>Administrator Protected Pages</description>
           <url-pattern>/admin/*</url-pattern>
           <http-method>POST</http-method>
           <http-method>GET</http-method>
           </web-resource-collection>
           <auth-constraint>
           <description>Only valid admin users can use the secure resources</description>
           <role-name>fooAdmin</role-name>
           </auth-constraint>
           <user-data-constraint>
           <transport-guarantee>NONE</transport-guarantee>
           </user-data-constraint>
           </security-constraint>
          
           <login-config>
           <auth-method>FORM</auth-method>
           <realm-name>fooSecurityPolicy</realm-name>
           <form-login-config>
           <form-login-page>/login.seam</form-login-page>
           <form-error-page>/loginError.seam</form-error-page>
           </form-login-config>
           </login-config>
          
           <security-role>
           <description>An foo system user</description>
           <role-name>fooUser</role-name>
           </security-role>
          
           <security-role>
           <description>An foo admin user</description>
           <role-name>fooAdmin</role-name>
           </security-role>
          
          
           <ejb-jar>
           <security-domain>java:/jaas/fooSecurityPolicy</security-domain>
           <assembly-descriptor>
           <interceptor-binding>
           <ejb-name>*</ejb-name>
           <interceptor-class>org.jboss.seam.ejb.SeamInterceptor</interceptor-class>
           </interceptor-binding>
           </assembly-descriptor>
          </ejb-jar>
          
          <jboss-app>
           <module>
           <service>foo-login-service.xml</service>
           </module>
           <loader-repository>
           seam.jboss.org:loader=foo
           </loader-repository>
          </jboss-app>
          


          Personally I would use the simplified version if you can. I have always disliked JAAS.

          • 2. Re: JAAS login with JBoss Seam
            Louis Coetzee Apprentice

            The Seam wiki contains an example (now outdated). Look under the Deprecated & Old Stuff heading.

            http://www.jboss.com/wiki/Wiki.jsp?page=JBossSeam

            L

            • 3. Re: JAAS login with JBoss Seam
              Fady Matar Novice

              This approach worked for me before, but I was wondering if the identity component can be wired.

              Using the regular authentication / authorization module makes the seam identity component useless.

              I believe that one approach to benefit from the identity module is to write the LDAP authentication within the authenticate method and provide an XML configuration to make it more or less portable. I would like to get Gavin's feedback on that