8 Replies Latest reply on Jan 13, 2014 2:36 AM by Bojan Dolinar

    Seam Login - flawed logic or do I need to extend Credentials?

    Tim Evers Master

      Ok, so I have a page that has the following fields. Username, Password, and a checkbox for accepting the terms and conditions. The problem I have is this. (And maybe a side effect of not using a password in dev mode but I want to try to understand what I'm supposed to do to fix this :S)


      If a user types in their username, leaves password blank (dev user has no password) and does not check the check box then in authenticate method (I have set this up in components.xml) then authentication fails... as per the code below.


          public boolean authenticate() {
              log.info("Logging in as user: " + credentials.getUsername()
                  + ". Privacy aggreement accepted? " + agreedToPrivacy);
      
              if (!agreedToPrivacy) {
                  FacesMessagesUtils
                      .addErrorFromBundle("security.privacy.not.checked");
                  return false;
              }
      
              ....other checks here to the database or LDAP maybe.
      



      So I return false from the authenticate method and the user is left on the login screen with an error. So far all good.


      So, now the user checks the checkbox and clicks login. I expected that this should work and successfully log the user in. Instead I just get a LoginException and the user can never get off the login screen unless they change their username (to something completely wrong) try to login (which fails). Then fix their username back up and login again.


      So, I've looked into the Seam source to try work this out and I think I sorta know what's going on.


      In the Identity.login() method it calls the authenticate method and if that fails it throws a LoginException. This exception is caught and then this line of code executes.


      credentials.invalidate();
      



      However, there is no way to make the credentials valid again unless you change the username or password as the only place where invalid is set to false is inside the setUsername or setPassword methods in the Credentials class. The problem is that invalid is set to false if and only if the set username changes.


      So, my question is this. Is it really logical to assume that the only reason a person's credentials failed to authenticate is because they typed their username and/or password wrong. I could think of a whole bunch of reasons why authentication can fail outside of the username/password being incorrect. Authentication server timeout, time based restrictions on login (valid login hours), multiple logins detected (systems that only allow you to be connected on 1 session), a brand new account that hasn't been activated yet. I'm sure there's more but, these are a few I can think of in 30 secs.


      Anyways, I'm more then willing to extend Credentials if i have to (Not sure IF I can do it but, I can go read about it). But, just wondering what other people's thoughts are on this.