1 Reply Latest reply on Nov 15, 2007 10:24 AM by stu2

    Where to invoke implicit login for custom SSO?


      I'm implementing simple custom SSO, and am struggling to find the correct place to perform an implicit login when the user first hits the application.

      I had thought that a filter would be the natural place for this, and have a SsoFilter created and registered with SeamFilter. This works as I expected it to, BUT the call to identity.login() fails because there's no application scope active - the filter executes before the lifecycle sets up the context for the request (I think).

      Here's what I see:

      java.lang.IllegalStateException: No active application scope
       at org.jboss.seam.security.Configuration.instance(Configuration.java:71)
       at org.jboss.seam.security.Identity.getLoginContext(Identity.java:412)
       at org.jboss.seam.security.Identity.authenticate(Identity.java:324)
       at org.jboss.seam.security.Identity.login(Identity.java:237)
       at weblock.servlet.SsoFilter.doFilter(SsoFilter.java:78)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

      Here's what I'm basically doing in my filter:

      // taken from AuthenticationFilter from seam source.
       Identity identity = (Identity) request.getSession().getAttribute( Seam.getComponentName(Identity.class) );
       // for our requirements we don't actually need password, and
       // authenticate is written accordingly
       // this is what blows up!
       String loginResult = identity.login();

      Argh! Is a filter the wrong place to do this sort of thing in Seam? We're developing against jboss, deploying into weblogic, so container integration isn't an option. The JSF lifecycle hooks seam uses via SeamListener look promising (session binding) but it doesn't look intended to be extensible, and I don't think the contexts are initialized there either. We don't want any sort of login page - this behaviour should all be transparent to the users.

      Am I missing something obvious?

      Any help would be greatly appreciated.

        • 1. Re: Where to invoke implicit login for custom SSO?

          Got it!

          Approach stolen from AuthenticationFilter. Essentially the issue is that identity.login() needs to run with Seam contexts initialized, BUT the filter apparently runs before these are initialized by Seam. Here's what works:

          new ContextualHttpServletRequest(request)
           public void process() throws ServletException, IOException
           String loginResult = identity.login();
           log.info("identity.login() returned #0. Logged in? #1", loginResult, identity.isLoggedIn(false));

          Also, the ideal place for this sort of SSO looks to me to be in a SessionListener. But at that point there's no request available, so I'm not sure how to initialize the environment.