1 2 Previous Next 24 Replies Latest reply on Apr 17, 2009 10:54 AM by betatesteur

    Seam and security context

    chawax

      Hi,


      I have a Seam application using EJB components. Some EJB components have an interceptor to check security, so I need to retrieve the principal. I did it this way :



      public class SecurityInterceptor 
      {
          @javax.annotation.Resource
          protected javax.ejb.SessionContext context;
      
          @javax.interceptor.AroundInvoke
          public Object execute(javax.interceptor.InvocationContext ctx)
              throws Exception 
          {
              try
              {
                   if (context != null) {
                        if (context.getCallerPrincipal() != null) {
                            System.out.println(context.getCallerPrincipal().getName());
                        }
                   }
                  return ctx.proceed();
              }
              catch (Exception e)
              {
                   e.printStackTrace();
                  throw e;
              }
          }
      }
      



      This interceptor works well when I run unit tests with JBoss microcontainer. But it fails when I call EJBs from a Seam component, with a No valid security context for the caller identity message.


      I wrote an authenticator Seam component, with this authenticate method :


      public boolean authenticate()
              throws java.lang.Exception
      {
          String username = Identity.instance()getUsername();
          String password = Identity.instance().getPassword();
          VOCompteUtilisateur utilisateur = getServiceUtilisateur().getCompteUtilisateur(username);
          if (utilisateur != null && utilisateur.getPassword().equals(password)) {
               this.utilisateur = utilisateur;
                  this.actor.setId(utilisateur.getMatriculeEmploye());
                 this.actor.getGroupActorIds().add(utilisateur.getMatriculeEmploye());
                  StringTokenizer roles = new StringTokenizer(utilisateur.getRoles(),",");
                  while (roles.hasMoreTokens()) {
                       String role = roles.nextToken();
                       identity.addRole(role);
                  }
                  return true;
          }
          else return false;
      }



      I guess I have something to do before returning true to integrate Seam identity and EJB security context. I saw there's a authenticate method in org.jboss.seam.security.Identity class, waiting for a javax.security.auth.login.LoginContext parameter. Is it the method I should use ? And where can I retrieve this login context ?


      Thanks in advance for your help ;)

        • 1. Re: Seam and security context
          shane.bryzak

          Seam Security doesn't integrate with container security (although there are some issues in JIRA to address this, with JBossAS at least).  Can you not use the security interceptor though that Seam provides?  If you want to use your own you can, however you'll be missing out on many of the features provided by Seam Security. 


          Anyways back on topic, to get the Principal simply call Identity.instance().getPrincipal().

          • 2. Re: Seam and security context
            chawax

            I am a newbie with these security features, so maybe I misunderstood something. But when I read in the manual about security



            The authentication features provided by Seam Security are built upon JAAS (Java Authentication and Authorization
            Service)

            I thougt that when you authenticate to Seam with authenticator component, you authenticate to JAAS and so on to the container. Am I wrong ?


            About using Seam interceptors, I hardly can do this because my Seam components rely on EJB3 jars that can be used in non Seam applications too. So the security needs to be handled by interceptors bundled with EJB3 jar. So I really need to authenticate to container when I authenticate in Seam. If this is something not supported by Seam, do you see a way to do this ?

            • 3. Re: Seam and security context
              shane.bryzak

              JAAS is simply an API (a well designed one, which is why we use it) that Seam uses for authentication, and is a different thing to container security (which generally makes use of JAAS also).


              As I mentioned, we don't support container integration as yet, and although it is on the drawing board it doesn't currently have a high priority though as it is an application server-specific feature, and as such isn't portable across containers.


              If you absolutely must use container security then I'd probably recommend that you use a ServletFilter to set up and tear down the security context for each request.

              • 4. Re: Seam and security context
                chawax

                Well, I wonder if we understood well each other ... What I need is not, I think, application server specific, but full JAAS. So I'll try to be more clear, sorry if what I said was a bit confusing.


                My application is built of Seam components that rely on a business layer made of EJB3 SLSB components (injected thanks to javax.ejb.EJB annotation) bundled in a JAR added as a library to my application. These EJB3 components are secured thanks to an interceptor that implements home made authorization controls (role based authorization is not enough for us). Of course, to run these controls, I need to know the current user. And so I need to know who was the current user that runned the Seam component that called the EJB3 component, given that this user was authenticated thanks to authenticator.login method.


                For what I understood with JAAS, authentication is made by a login module (Seam has its own) that puts a Principal object in a LoginContext object. Then you can call the getCallerPrincipal method on SessionContext injected object and it will return the principal from the LoginContext. If Seam uses JAAS to authenticate, it means that it puts a Principal in LoginContext, doesn't it ? So I can't understand why there is no way to retrieve this principal and what is application server specific there. Can you tell me where I'm wrong ?


                Actually, if what I try to do is not possible, how do you do to use secured EJB3 session beans from a Seam component ?

                • 5. Re: Seam and security context
                  shane.bryzak

                  For what I understood with JAAS, authentication is made by a login module (Seam has its own) that puts a Principal object in a LoginContext object. Then you can call the getCallerPrincipal method on SessionContext injected object and it will return the principal from the LoginContext. If Seam uses JAAS to authenticate, it means that it puts a Principal in LoginContext, doesn't it ? So I can't understand why there is no way to retrieve this principal and what is application server specific there. Can you tell me where I'm wrong ?

                  Actually, if what I try to do is not possible, how do you do to use secured EJB3 session beans from a Seam component ?


                  The LoginContext is temporary, it only survives to the end of the authentication call, and doesn't place anything into SessionContext.  If you want to use EJB security then I'm afraid you'll need to do it the traditional way, at least until Seam Security supports container integration.

                  • 6. Re: Seam and security context
                    skajotde

                    Shane Bryzak wrote on Apr 29, 2008 01:56 AM:

                    The LoginContext is temporary, it only survives to the end of the authentication call, and doesn't place anything into SessionContext.  If you want to use EJB security then I'm afraid you'll need to do it the traditional way, at least until Seam Security supports container integration.


                    I would too using security at ejb level. It's to me a natural way autorize businness layer not ui. You wrote traditional way, it means on servlet filters? Can you give any example with seam? ;)


                    Thanks ;)
                    Kamil

                    • 7. Re: Seam and security context
                      chawax
                      The LoginContext is temporary, it only survives to the end of the authentication call, and doesn't place anything into SessionContext.


                      Does it mean you have to authenticate with JAAS before any EJB call ?

                      • 8. Re: Seam and security context
                        shane.bryzak

                        By traditional I meant using container security, i.e. not Seam Security.

                        • 9. Re: Seam and security context
                          shane.bryzak

                          Not exactly, JBoss Security supports the notion of an authentication cache that allows subsequent invocations to use a previously successful login.  This is described in the JBoss Security docs at http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html, and some other reading that may also be useful is the JBossSX wiki at http://wiki.jboss.org/wiki/JBossSX.

                          • 10. Re: Seam and security context
                            chawax

                            OK. So when you were talking about application servers specific features, it was about the way a successful login can be propagated to different EJB calls ? This is partly what JbossSX does ?

                            • 11. Re: Seam and security context
                              skajotde

                              Olivier Thierry wrote on Apr 28, 2008 02:29 PM:


                              I wrote an authenticator Seam component, with this authenticate method :

                              public boolean authenticate()
                                      throws java.lang.Exception
                              {
                                  String username = Identity.instance()getUsername();
                                  String password = Identity.instance().getPassword();
                              ...
                                          return true;
                                  }
                                  else return false;
                              }



                              I guess I have something to do before returning true to integrate Seam identity and EJB security context.


                              I think this sould be solution (specific to jboss)


                              Configuration.setConfiguration(new Configuration {
                                  public AppConfigurationEntry[] getAppConfigurationEntry(String name) {                        
                                      Map<String, String> properties = new HashMap<String, String>();
                                      properties.put("restore-login-identity", "true");
                                      properties.put("multi-threaded", "true");
                                      String module = "org.jboss.security.ClientLoginModule";
                                      AppConfigurationEntry ace = new AppConfigurationEntry(module,
                                          AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, properties);         
                                      return new AppConfigurationEntry[] { ace } ;
                                  }
                                  public void refresh() { 
                                  }       
                              }
                              CallbackHandler handler = new JAASCallbackHandler(username, password);
                              LoginContext ctx = new LoginContext("domain-app", handler);
                              ctx.login();



                              Domain domain-app must be declared in $JBServer/conf/login-config.xml.

                              • 12. Re: Seam and security context
                                chawax

                                Thanks Kamil. Where do you paste this piece of code ?

                                • 13. Re: Seam and security context
                                  skajotde

                                  As you wrote:



                                  I guess I have something to do before returning true
                                  • 14. Re: Seam and security context
                                    chawax

                                    I can't make it compile ... Do you need to add any jar to the project ? Or maybe it works with a specific JBoss version (I work with 4.2.0.GA one)

                                    1 2 Previous Next