0 Replies Latest reply on Jun 8, 2010 12:02 PM by Matthew McKay

    Why are my roles disappearing between JAAS and Seam?

    Matthew McKay Newbie
      Hey everyone,
      I'm having some troubles with roles and I am not sure what is the cause. The problem I am trying to solve: I need to authenticate users against LDAP and pull role information from a different propritary schema. To facilitate this I've written a LoginModule.
      The issue I am having is a somewhat unclear to me, but I will do my best to explain it.
      My LoginModule's commit is doing basically this (Among a few other things):

                      SimpleGroup roleSet = new SimpleGroup("Roles");
                      for(String name : getRolesFor(identity)) {
                              roleSet.addMember(new SimplePrincipal(name));
                      }
                      subject.getPrincipals().add(roleSet);

      As far as I can tell from taking apart examples in JBoss-SX this is more or less the correct way to do this. I was originally just providing a getRoleSets() from AbstractServerLoginModule, but I ran into this issue.
      The roles I am adding in the LoginModule aren't visible to Seam's Identity via bean injection. If I debug my Identity object it looks fairly empty:


      Subject:
              Principal: admintestuser1
              Principal: Roles(members)


      If I place the roles into something other than Identity.ROLES_GROUP I get

      Subject:
              Principal: admintestuser1
              Principal: hrrugh(members:TheDuke)



      which is what I expected to get in the Identity.ROLES_GROUP.
      Clearly I am misunderstanding something here. Why are my roles being removed?

      web.xml

      <security-role>
        <description>Long winded discription</description>
        <role-name>TheDuke</role-name>
      </security-role>


      login-config.xml

      <application-policy name="ISSAuth">
          <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="requisite">
              <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
              <module-option name="java.naming.provider.url">ldap://ldap.fqdn:636/</module-option>
              <module-option name="java.naming.security.protocol">ssl</module-option>
              <module-option name="java.naming.security.authentication">simple</module-option>
              <module-option name="principalDNPrefix">uid=</module-option>
              <module-option name="principalDNSuffix">,ou=people,dc=fqdn</module-option>
              <module-option name="uidAttributeID">userid</module-option>
              <module-option name="allowEmptyPasswords">false</module-option>
              <module-option name="password-stacking">useFirstPass</module-option>
            </login-module>
            <login-module code="fqdn.APIRoleResolver.LoginModule" flag="optional">
            </login-module>
          </authentication>
        </application-policy>

      Thanks. I apologize for the atrocious formatting but I couldn't seem to make the syntax checker happy