I have a JSF based web app that is successfully using form based authentication as shown below in the web.xml snippet:
<security-constraint> <web-resource-collection> <web-resource-name>SCFDB</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>SCFDBUser</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>SCFDB</realm-name> <form-login-config> <form-login-page>/login.faces</form-login-page> <form-error-page>/login-error.faces</form-error-page> </form-login-config> </login-config>
The realm is mapped to a fairly simple extension of the DatabaseServerLoginModule in the login-config.xml:
<application-policy name = "SCFDB"> <authentication> <!-- TEG moving to custom LoginManager <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" --> <login-module code = "nuwss.edb.scfdb.security.SCFDBLoginModule" flag = "required"> <module-option name = "dsJndiName">java:jdbc/scfdb</module-option> <module-option name = "principalsQuery">select password_cur, password_exp, login_failed_attempts, locked_flag, last_name, first_name, email, title from user_accounts where login_name=?</module-option> <module-option name = "rolesQuery">select role, role_group from use r_roles where login_name=?</module-option> <module-option name = "hashAlgorithm">SHA1</module-option> <module-option name = "hashEncoding">BASE64</module-option> </login-module> </authentication> </application-policy>
The presentation of the form based login and login-error pages as well as the authentication are all working as expected. My question has to do with the presentation of additional status and error messages. This application has requirements that include messages similar to the following:
- (Upon successful logon) "WARNING: Your password is about to expire. It will expire in 5 days"...
- (Upon failed logon attempt) "Your account has been adminstratively locked..."
- (Upon failed logon attempt) "Your account has been disabled..."
My simple extension to DatabaseServerLoginModule, SCFDBLoginModule, allows me to detect each of these conditions. However, I appear to have no way to report this status to the user from within the extension - at least that I can find so far?
As this is a JSF application, the ideal would be to be able to add a FacesMessage, but the j_security_check appears to be processed before a FecesContext is in attached. My second thought was to add the required info to the users' session and use a listener, filter or PhaseListener to convert these to FacesMessages at the appropriate time - the problem here is that I don not appear to have any access to the session from within the DatabaseServerLoginModule extension?
Any and all thoughts and ideas will be greatly appreciated.