7 Replies Latest reply on Nov 10, 2009 2:30 AM by Nikolay Elenkov

    Seam login problem

    guy bashan Apprentice

      Hi,


      I am having Seam login issue:
      I have a login screen. I first login to the system. Then I go back to the login page. Then I enter some not good username and password. when I press the submit button, it goes to the application. I think it just bypasses the Authenticator class. Is there a way solving this issue?


      Thanks,
      Guy.

        • 1. Re: Seam login problem
          Arbi Sookazian Master

          Post your pages.xml.


          run in debug mode with brkpt in Authenticator class method(s) to be sure what's happening.

          • 2. Re: Seam login problem
            guy bashan Apprentice

            Here is my pages.xml. The authenticator is not being called at all.


            <?xml version="1.0" encoding="UTF-8"?>
            <pages xmlns="http://jboss.com/products/seam/pages"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.2.xsd"
                   no-conversation-view-id="/main.xhtml"
                   login-view-id="/signin.xhtml">
            
              <page view-id="*">
                <!--navigation from-action="#{identity.logout}">
                  <raise-event type="removeLoginCookie"/>
                  <redirect view-id="/main.xhtml"/>
                </navigation-->
                <!--action execute="#{authenticator.autoLoginCookie}" if="#{!identity.loggedIn}"/-->
                <navigation>
                  <!--end-conversation before-redirect="true"/-->
                  <rule if-outcome="home">
                    <redirect view-id="/home.xhtml"/>
                  </rule>
            
                </navigation>
            
              </page>
            
              <page view-id="/main.xhtml">
                <rewrite pattern="/" />
                <navigation>
                  <!--end-conversation before-redirect="true"/-->
                  <rule if="#{identity.loggedIn}">
                    <redirect view-id="/home.xhtml" />
                  </rule>
                </navigation>
              </page>
            
              <page view-id="/signin.xhtml">
                <!--action execute="#{org.jboss.seam.security.facesSecurityEvents.initCredentialsFromCookie(org.jboss.seam.security.identity)}"/-->
                <rewrite pattern="/signin" />
                <navigation>
                  <!--end-conversation before-redirect="true"/-->
                  <rule if="#{identity.loggedIn}">
                    <redirect view-id="/home.xhtml"/>
                  </rule>
                </navigation>
            
              </page>
            
              <page view-id="/signup.xhtml">
                <rewrite pattern="/signup" />
                <navigation>
                  <rule if="#{identity.loggedIn}">
                    <redirect view-id="/home.xhtml"/>
                  </rule>
                </navigation>
            
              </page>
            
              <page view-id="/home.xhtml" login-required="true">
                <rewrite pattern="/home/{filter}/{page}"/>
                <rewrite pattern="/home/{filter}"/>
                <rewrite pattern="/home"/>
                <param name="filter" />
                <param name="page" />
              </page>
            
            
              <page view-id="/show.xhtml" login-required="false">
                <param name="photoId" required="true"/>
              </page>
            
              <page view-id="/show_user.xhtml" login-required="true">
              </page>
            
              <page view-id="/settings_general.xhtml" login-required="true">
              </page>
            
              <page view-id="/settings_personal.xhtml" login-required="true">
              </page>
            
              <page view-id="/settings_password.xhtml" login-required="true">
              </page>
            
              <page view-id="/settings_account.xhtml" login-required="true">
              </page>
            
              <page view-id="/upload.xhtml" login-required="true">
                <rewrite pattern="/upload"/>
              </page>
            
            
              <page view-id="/password.change.xhtml">
                <param name="confirmationCode" value="#{changePassword.confirmationCode}"/>
              </page>
            
            
              <!--page view-id="/mail/error.xhtml" login-required="false">
                 <action execute="#{error.sendMail}" />
              </page>
            
              <exception>
                <end-conversation />
                <redirect view-id="/mail/error.xhtml" />
              </exception-->
            
            
            </pages>
            




            • 3. Re: Seam login problem
              Nikolay Elenkov Master

              For whatever reason (performance optimization?, root of all evil and all) Seam doesn't try to authenticate you if you are already logged in. You can easily use this for privilege escalation: login as user1 (role: USER), then go to the login scren, type 'admin' as the username, whatever password, hit 'Login' and presto: you are admin (role: ADMIN). Maybe there is an official way to change this behaviour, but what I did is just override Identity.authenticate(). Here is the relevant code from Seam's Identity.java:


                 public synchronized void authenticate() 
                    throws LoginException
                 {
                    // If we're already authenticated, then don't authenticate again
                    if (!isLoggedIn() && !credentials.isInvalid())
                    {
                       principal = null;
                       subject = new Subject();
                       authenticate( getLoginContext() );
                    }      
                 }
              
              


              • 4. Re: Seam login problem
                Shervin Asgari Master

                If that is the case it is a big security issue. However, using your own authenticator implementation it will not do that. I just tried with our app, and it didn't bump the user.

                • 5. Re: Seam login problem
                  guy bashan Apprentice

                  2 things:
                  1) I am not sure if this is security hole related with Seam, since, after all, I explicitly said in my pages.xml:


                  <rule if="#{identity.loggedIn}">
                          <redirect view-id="/home.xhtml"/>
                        </rule>
                  


                  So I guess Seam simply executes the rule before it ever event has the chance of executing the Authenticator code.
                  2) Frankly, the real behavior that was good for me: If user is already logged-in and coming to signin page, I don't event want to show him signin page and just redirect him to the page that comes after login. In general, I want that if user is LOGGED IN, on every page which is considered to be before login page, the user will simply be directed to the page after login. Has anyone implemented such behavior?


                  Thanks,
                  Guy

                  • 6. Re: Seam login problem
                    Shervin Asgari Master

                    I have that rule only when you push the login button.




                    <navigation from-action="#{authenticator.identityLogin}">
                    <rule if="#{identity.loggedIn and identity.hasRole('officer')}">
                         <raise-event type="cleanupUserInfo"/>
                         <redirect view-id="/mypage.xhtml" />
                    </rule>



                    And you can also type in this if you want:




                    <page view-id="*" login-required="true">





                    That should be enough. However I have the opposite. I have



                    <page view-id="*">



                    and then on each of the folders or pages I have explicitly said login-required true.




                    <page login-required="true" view-id="/admin/*">



                    • 7. Re: Seam login problem
                      Nikolay Elenkov Master

                      Shervin Asgari wrote on Nov 09, 2009 11:32:


                      If that is the case it is a big security issue. However, using your own authenticator implementation it will not do that. I just tried with our app, and it didn't bump the user.



                      I might've overreacted a bit :) You are right: since it is your authentication method that manages roles, and it is not called, there will be no change in roles. The only thing that changes is the username in the Identity/Credentials component. If rely on that for some reason, you
                      might be in trouble. At any rate, (apparent) successful login with invalid credentials is a bug, if not in Seam, then in the application.