3 Replies Latest reply on Oct 21, 2008 8:48 AM by shane.bryzak

    Seam Identity Management and multiple identity stores

    hermida.leandro.hermida.gmail.com

      Hello,


      I am planning to use the nice new Identity Management API in Seam 2.1.0.BETA1 and read through the documentation.  My question is, does the API have the capability to set multiple identity stores where you specify the order by which it checks the stores during authentication, falling through to the next store if the credentials fail?


      This would be a very useful feature and I think quite common practice where one or more LDAP stores are checked in a specified order and then, finally, the JPA local database store of the application.


      Cheers,
      Leandro

        • 1. Re: Seam Identity Management and multiple identity stores
          shane.bryzak

          It doesn't support anything like this currently.  The issue I see with implementing something like this is keeping track of which user belongs to which identity store.  For this particular scenario I would recommend writing an authenticator component and performing authentication manually (although you can still configure one or more identity stores in components.xml and just use them in your authenticate method).

          • 2. Re: Seam Identity Management and multiple identity stores
            hermida.leandro.hermida.gmail.com

            Hi again,




            I would recommend writing an authenticator component and performing authentication manually (although you can still configure one or more identity stores in components.xml and just use them in your authenticate method)


            Sorry if I may ask for some guidance on this.


            So in components.xml I now reinstate the <security:identity/> tag and take out the <security:identity-manager/> tag and then define multiple identity stores:


            <security:identity authenticate-method="#{authenticator.authenticate}"/>
            
            <!--
            <security:identity-manager identity-store="#{jpaIdentityStore}"/>
            -->
            
            <security:ldap-identity-store name="myLdapIdentityStore1"
                                              server-address="server.domain.com"
                                              bind-DN="ou=User,dc=domain,dc=com"
                                              bind-credentials="secret"
                                              user-DN-prefix="sAMAccountName="
                                              user-DN-suffix=",ou=User,dc=domain,dc=com"
                                              role-DN-prefix="cn="
                                              role-DN-suffix=",ou=Group,dc=domain,dc=com"
                                              user-context-DN="ou=User,dc=domain,dc=com"
                                              role-context-DN="ou=Group,dc=domain,dc=com"
                                              user-role-attribute="memberOf"
                                              role-name-attribute="cn"
                                              user-object-classes="user"/>
            
            <security:ldap-identity-store name="myLdapIdentityStore2"
                                              server-address="server.domain.com"
                                              bind-DN="ou=User,dc=domain,dc=com"
                                              bind-credentials="secret"
                                              user-DN-prefix="sAMAccountName="
                                              user-DN-suffix=",ou=User,dc=domain,dc=com"
                                              role-DN-prefix="cn="
                                              role-DN-suffix=",ou=Group,dc=domain,dc=com"
                                              user-context-DN="ou=User,dc=domain,dc=com"
                                              role-context-DN="ou=Group,dc=domain,dc=com"
                                              user-role-attribute="memberOf"
                                              role-name-attribute="cn"
                                              user-object-classes="user"/>
            
            <security:jpa-identity-store user-class="org.sysfusion.core.entity.User"
                                         role-class="org.sysfusion.core.entity.SecurityRole"/>
            



            Then in my authenticate() method how do I access each of these identity stores in turn?  I apologize I couldn't find in the docs how you access programmatically the various identity stores set in components.xml.


            leandro

            • 3. Re: Seam Identity Management and multiple identity stores
              shane.bryzak

              You can just inject them straight into your authenticator:


              @Name("authenticator")
              public class Authenticator {
              
                @In LdapIdentityStore myLdapIdentityStore1;
                @In LdapIdentityStore myLdapIdentityStore2;
              
                public void authenticate() {
                  // authentication logic here
                }
              }