I try to integrate my app with a custom SSO solution.
To do this I looked at RememberMe and quickly found that it is not what I need. (The SSO cookie is opaque for me. I have no idea what its format is like - it is only validated by a web service. And btw it really should not contain the password).
So, I tried to use the same underlying mechanism that Remember me uses, i.e. listenening for the events
Credentials.EVENT_INIT_CREDENTIALS
and
Identity.EVENT_QUIET_LOGIN
However the second event never happens if I hit a page that requires login while not being logged in, for example
<page view-id="/contact-data.xhtml" login-required="true">
<rewrite pattern="/contact-data"/>
</page>
Instead I am taken to the log-in page. However if I remove the login-required
from the page definition and add a <restrict>-tag then everything works as designed.
I found the culprit to be the code that checks if a redirect to the login page is required. It never tries a quite login.
See Pages.java:
private boolean isLoginRedirectRequired(String viewId, Page page)
{
return page.isLoginRequired() &&
!viewId.equals( getLoginViewId() ) &&
!Identity.instance().isLoggedIn();
}
If I change this method like so, it works fine:
private boolean isLoginRedirectRequired(String viewId, Page page) {
if (!page.isLoginRequired() || viewId.equals(getLoginViewId())) {
return false;
}
Identity identity = Identity.instance();
identity.tryLogin();
return identity.isLoggedIn();
}
Is this a bug/oversight or do I expect something that was never intended to work that way?