3 Replies Latest reply on Sep 13, 2007 8:29 AM by Stéphane Molina

    Security context propagation between Seam EJB components and

    Eyrignoux Marc Newbie

      I use Seam 1.2.1GA in my application, under JBoss 4.0.5GA; the presentation layer is made of Session EJBs which are Seam components, and the service and persistance layers are made of "standard" EJBs (ie. not Seam components).

      Therefore I need a way to communicate the security context from the Seam components to the "standard" EJBs.

      I use the Seam authentication and authorization mecanisms, which work very fine... But only in Seam components.

      The user gets authenticated thanks to an "authenticator" JavaBean-Seam Component which I wrote after from the Seam Documentation (I have also put in place all the configuration indicated in the Seam Documentation http://docs.jboss.org/seam/1.2.1.GA/reference/en/html/security.html):

      public boolean authenticate() {
      
       boolean result = false;
      
       SylveaUser user = getSecurityDAO().getUser(Identity.instance().getUsername());
      
       if ( user != null ) {
       Identity.instance().addRole(user.getProfile().getName());
      
       if ( Encryption.getInstance().equals(user.getPassword(), Identity.instance().getPassword())) {
       result = true;
       }
       }
       return result;
      }
      


      In the components.xml, I use the "pure" Seam authentication:
      <security:identity authenticate-method="#{authenticator.authenticate}"/>
      


      In my Seam-EJBs components, everything works fine when I use the Seam API, ie. Identity.instance( ).*
      But if I try to use the JEE API, I get an exception: "java.lang.IllegalStateException: No valid security context for the caller identity"
      Here is an example of my code:
      @Stateful
      @Scope(ScopeType.CONVERSATION)
      @Name("myAction")
      public class MyActionImpl extends MyAction {
      
       @Resource
       private SessionContext context;
      
       @Factory(value="intermediaireList", scope=ScopeType.EVENT)
       public void findIntermediaires() {
       boolean loggedIn = Identity.instance().isLoggedIn(); // works fine
       Principal principal = context.getCallerPrincipal(); // IllegalArgumentException
       String name = principal.getName();
       ...
       }
      }
      


      When I try to use the JEE API in my "standard" EJBs if the service and persistance layers, I get the same IllegalArgumentException. Does anyone have an idea ?

      Thanks in advance,
      Marc.

        • 1. Re: Security context propagation between Seam EJB components
          Eyrignoux Marc Newbie

          I found a way to stop the exceptions, but it still doesn't work... Help would be greatly appreciated !

          In my components.xml, I reference a realm:

          <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="sylveaAuth"/>
          


          Which I defined into my application:
          jboss-app.xml of my ear:
          <jboss-app>
           <module-order>strict</module-order>
          
           <module>
           <service>sylvea-login-service.xml</service>
           </module>
          
           <loader-repository>
           com.april.sylvea:loader=sylvea
           </loader-repository>
          </jboss-app>
          


          sylvea-login-service.xml:
          <?xml version="1.0" encoding="UTF-8"?>
          <server>
           <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
           name="sylvea:service=DynamicLoginConfig">
           <attribute name="AuthConfig">sylvea-login-config.xml</attribute>
           <depends optional-attribute-name="LoginConfigService">
           jboss.security:service=XMLLoginConfig
           </depends>
           <depends optional-attribute-name="SecurityManagerService">
           jboss.security:service=JaasSecurityManager
           </depends>
           </mbean>
          </server>
          


          and sylvea-login-config.xml:
          <?xml version='1.0'?>
          <!DOCTYPE policy PUBLIC
           "-//JBoss//DTD JBOSS Security Config 3.0//EN"
           "http://www.jboss.org/j2ee/dtd/security_config.dtd">
          <policy>
           <application-policy name="sylveaAuth">
           <authentication>
           <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->
           <login-module code="org.jboss.security.ClientLoginModule" flag="required">
           <module-option name="multi-threaded">true</module-option>
           <module-option name="restore-login-identity">true</module-option>
           <!-- <module-option name="password-stacking">useFirstPass</module-option>-->
           </login-module>
           <login-module code="org.jboss.seam.security.jaas.SeamLoginModule" flag="required" />
           </authentication>
           </application-policy>
          </policy>
          


          I also added a jboss-web.xml in the WEB-INF of my web-app (I don't know if it is useful):
          <jboss-web>
           <security-domain>java:/jaas/sylveaAuth</security-domain>
          </jboss-web>
          


          I added a jboss.xml in the META-INF of the jar of my EJBs:
          <?xml version="1.0" encoding="UTF-8"?>
          
          <jboss>
           <security-domain>sylveaAuth</security-domain>
          </jboss>
          


          But the propagation still doesn't work:
          @Stateful
          @Scope(ScopeType.CONVERSATION)
          @Name("myAction")
          public class MyActionImpl extends MyAction {
          
           @Resource
           private SessionContext context;
          
           @Factory(value="intermediaireList", scope=ScopeType.EVENT)
           public void findIntermediaires() {
           boolean loggedIn = Identity.instance().isLoggedIn(); // Seam works fine
           Principal seamPrincipal = Identity.instance().isLoggedIn(); // Seam Principal works fine
           Principal principal = context.getCallerPrincipal(); // JEE principal contains nothing => wrong
           String name = principal.getName(); // JEE name is null => wrong
           ...
           }
          }
          


          • 3. Re: Security context propagation between Seam EJB components
            Stéphane Molina Newbie

            Hi all,

            I am experiencing the same kind of problems. It seems impossible to transmit Seam security context informations to JEE security context ...

            I can imagine some realy ugly solutions, but I would prefer some pretty one :)