7 Replies Latest reply on Sep 4, 2008 9:48 PM by nimo stephan

    org.jboss.seam.security.management.authenticatedUser

    nimo stephan Master

      How and where can I obtain the value coming from org.jboss.seam.security.management.authenticatedUser ?


      I looked at my session-scope after the user logged in via JPAIdentityStore and found out, that this User cannot login twice:


      You are already logged in, please log out first if you wish to log in again



      That's nice!


      In Identity.class, there is a method


       public boolean isLoggedIn(boolean attemptLogin)
         {
           ... 
            // If there is a principal set, then the user is logged in.
            return getPrincipal() != null;
         }



      But this method works only, if the User tries to login in the same browser.


      For example, I open the Mozilla Browser, log me in and try to do it again, then the message Allready logged in occurs, as isLoggedIn is true.


      But when I open Internet Explorer and let the Moziall Browser open, then I can log me in again with the same username. How can I avoid this behaviour? I want, that the User can log in at most once. Is this Principal not stored in the Application-Context ?


      Any suggestions?

        • 1. Re: org.jboss.seam.security.management.authenticatedUser
          Andre Eugenio Newbie

          I saw your http://www.seamframework.org/Community/LoginUserAtMostOnceTime thread and I'm going try to help (but I'm new to seam as well).


          AFAIK seam doesn't have anything to support this, you have to implement it.


          To archive this you need to keep a List with all logged users in application scope with the UserID and SessionID and prevent the user to log in again if the UserID is already stored in the List (on Application Scope).


          But you have to implement a way to the user override the sessionID stored on the application scope to a new one because the hardest part to prevent the user log in with another browser, workstation, etc is how to handle the log out because the browser is not connected with the web server.


          If the user don't log out of your application they will won't be able to log in again until any expiration mechanism take care.


          To add a user to the Application Scope you can use the seam loginSuccessful event.
          To remove the user when he log out you can extend seam Identity class and override the logout method.
          To expire i guess the best way is to create a POJO servlet that implements HttpSessionBindingListener interface (you can google it for examples).


          Hope this help.


          Cheers, Andre.


          • 2. Re: org.jboss.seam.security.management.authenticatedUser
            nimo stephan Master

            Hello thanks,


            I have successfully implemented this scenario:


            I have a Map with User,Session in my ApplicationScope controlling if the User is already logged to avoid to login in different browsers. That works well.


            But what about, if I want to destroy the User-Session of the User who has logged in before and log in the latest User. I cannot retrieve the User-Instances from the JPAIdentityStore to destroy the User-Session. This is, what I want.


            Where can I find this User in my JPAIdentityStore-Instance stored in the ApplicationScope?


            FacesContext facesContext = FacesContext.getCurrentInstance();
            Application application = facesContext.getApplication();     
            application.getClass()....?????






            • 3. Re: org.jboss.seam.security.management.authenticatedUser
              nimo stephan Master

              Imagine this scenario, I have an admin-page and want to be able to destroy the session of the users who are logged in..

              • 4. Re: org.jboss.seam.security.management.authenticatedUser
                Andre Eugenio Newbie
                FacesContext facesContext = FacesContext.getCurrentInstance();
                Object target = context.getExternalContext().getApplicationMap().get("nameOfYOurObjectWhen YouStoreOnTheMap");
                



                Example


                MyCustomObject object = new MyCustomObject();
                FacesContext facesContext = FacesContext.getCurrentInstance();
                context.getExternalContext().getApplicationMap().put("toApp", object);
                MyCustomObject object = (MyCustomObject)context.getExternalContext().getApplicationMap().get("toApp");
                



                Regards.

                • 5. Re: org.jboss.seam.security.management.authenticatedUser
                  nimo stephan Master

                  I have done that before, thanks. I can store and retrieve the values of my application-scope. That is not the problem.


                  The problem is, to retrieve the actual instance from the IdentityStore in which all actual user-instances are located.
                  Something like:


                  application.getClass().forName(org.jboss.seam.security.identity).getMethods(...)

                  • 6. Re: org.jboss.seam.security.management.authenticatedUser
                    Andre Eugenio Newbie

                    I don't know either how to access the way you want.
                    But I guess you can invalidate the desired session in a Servlet Filter when the request arrives.
                    For this this create a new Map in the Application Context and just check if the ID of the current request is invalid in the List.


                    Example:


                    public class invalidateSession extends HttpServlet {
                    
                      public void doGet(HttpServletRequest req, HttpServletResponse res)
                                                   throws ServletException, IOException {
                    
                        HttpSession session = req.getSession(true); // get the actual session
                    
                        if (!session.isNew()) {  // skip new sessions
                    
                            // test the actual session in the Map of the sessions to be invalidated
                    
                            session.invalidate();
                        }
                    
                        // Continue processing...
                      }
                    }
                    


                    • 7. Re: org.jboss.seam.security.management.authenticatedUser
                      nimo stephan Master

                      Thanks, but this does meet my problem.


                      Destroy a session with:


                      org.jboss.seam.web.Session.instance().invalidate(); 



                      Logout a user with:


                      Identity.logout




                      Get the instance of a Class stored in the Application-Scope with:


                      JPAIdentityStore a = (JPAIdentityStore ) Contexts.getApplicationContext().get("org.jboss.seam.security.jpaIdentityStore");



                      But the fact is:



                      It is useless to store the User and its Session into a Map in the Application-Scope and delete this User and its Session from this Map - it does not logout the user as its session still exists in another value elsewhere in the Application-Scope (Identity-Instance or the like?).


                      I have no convenient method in my IdentityManager to say, hey, this user is logged out by me, the administrator. I cannot say for exampe:


                      Identity.logout(Username)