2 Replies Latest reply on Mar 20, 2008 12:04 AM by Shane Bryzak

    Seam security integration with JBoss SX and subject propagation pattern ?

    Guillaume Jeudy Master

      Hi,


      I am using jboss 4.2.2 with seam 2.0.1. I need to leverage

      org.jboss.resource.security.CallerIdentityLoginModule

      in order to allow database sign-on based on caller authenticated subject. I was able to make this work in a simple webapp with BASIC auth, a security-constraint in web.xml and simple UsersRolesLoginModule with properties file to match the user/pass entered by the user. I grab a Connection from the Datasource looked up with JNDI in a test servlet and it is using my user/pass, thanks to
      Criteria=ByContainer

      support in JBoss.


      Now making this work with Seam is a different beast, I tried using the simple seam identity in order to achieve this.


      components.xml


      <security:identity
      
                authenticate-method="#{ssoAuthenticator.authenticate}" />



      If I call:


      Subject sbj = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container");



      right after the authenticate-method has been called, the subject is null. Does this mean SeamLoginModule does not support integration with JBossSX and proper subject propagation ?


      What would be the recommended approach to solve this problem? Should I implement my own javax.security.auth.spi.LoginModule and make seam's identity component point to my custom securityDomain like so?


      <security:identity jaas-config-name="myConfig"/>



      In order to integrate with the company's auth model; I need to access the servlet session to retrieve the principal (preauthenticated) by NtlmServletFilter (jcifs class). I need to call a remote web service to get a list of authorized roles, then I need the subject to be propagated normally to CallerIdentityLoginModule which takes care of passing the user/pass information to the datasource and initiate a db connection with these credentials.


      Would subclassing SeamLoginModule be a better alternative ?


      Seam experts, please advise.


      Thanks,
      -Guillaume

        • 1. Re: Seam security integration with JBoss SX and subject propagation pattern ?
          Guillaume Jeudy Master

          In case somebody is running into the same issues as I do. In order to get the Subject propagated from the web layer to ejb layer I need to call WebAuthentication object (provided by JBoss tomcat service lib) explicitely using my custom security realm. I call this from inside an authenticator component which is not setup with an authentication method(this method is only used if no jaasConfigName is provided on security:identity component) and is called explicitely from my pages.xml setup.


          The only thing not very clean about this approach is I need to call identity.authenticate() and add roles to the identity manually in addition to calling WebAuthentication.login() to ensure the subject is propagated to the Datasource pooling ByContainer setup as supported by CallerIdentityLoginModule.


          Both WebAuthentication and identity.authenticate() execute the same loginmodule.


          As a proposed enhancement Seam could provide better level of integration with jboss subject propagation in a future release.


          If anybody is interested in getting more details I will gladly provide detailed info on how I implemented this.

          • 2. Re: Seam security integration with JBoss SX and subject propagation pattern ?
            Shane Bryzak Master

            We have an outstanding JIRA issue for better integration of Seam with container security in JBoss AS.  If you could provide the details of what you did to implement this it would be greatly appreciated.  Here's the link to the issue:


            JBSEAM-729