Hi, dear Seamers! I have manged to get a Login Module working which takes Users and Passwords from an EJB3. After that I use a Session bean that takes the user principal of the Faces Context's external context and authenticates the user with the seam authenticator.
login-module.xml: <application-policy name="simple"> | <authentication> | <login-module | code="de.livemediagroup.security.auth.MarktplatzLoginModule" | flag="required"> | <module-option name="jndiEntityManagerFactory">java:/issuesEntityManagerFactory</module-option> | </login-module> | </authentication> | </application-policy> LoginModule java file: public class MarktplatzLoginModule extends UsernamePasswordLoginModule { | | private static final Log log = LogFactory | .getLog(MarktplatzLoginModule.class); | | private static final String JNDI_EM_CONFIG_KEY = "jndiEntityManagerFactory"; | | private UserInformation user; | | @Override | protected String getUsersPassword() throws LoginException { | try { | | InitialContext ctx = new InitialContext(); | String jndiEntityManagerFactory = options.get(JNDI_EM_CONFIG_KEY) | .toString(); | System.out.println(jndiEntityManagerFactory); | EntityManagerFactory factory = (EntityManagerFactory) ctx | .lookup(jndiEntityManagerFactory); | EntityManager entityManager = factory.createEntityManager(); | | user = (UserInformation) entityManager.createQuery( | "from UserInformation where login=:login").setParameter( | "login", getUsername()).getSingleResult(); | return user.getPassword(); | } catch (Exception e) { | log.error("Fehler beim ermitteln des Benutzers", e); | throw new LoginException("Fehler beim ermitteln des Benutzers: " | + e); | } | } | | @Override | protected Group[] getRoleSets() throws LoginException { | Group rolesGroup = new SimpleGroup("Roles"); | ArrayList groups = new ArrayList(); | groups.add(rolesGroup); | try { | Iterator<Role> roleIterator = user.getRoles().iterator(); | while (roleIterator.hasNext()) { | rolesGroup.addMember(createIdentity(roleIterator.next() | .getName())); | } | } catch (Exception e) { | e.printStackTrace(); | } | Group[] roleSets = new Group[groups.size()]; | groups.toArray(roleSets); | return roleSets; | } | | } | Managed seam session bean: | @Name("login") | @Stateful | @Scope(ScopeType.SESSION) | @Startup | public class LoginBean implements Login { | | @Logger | Log log; | | @In(create=true) | private EntityManager entityManager; | | @In(create=true) | private Conversation conversation; | | private UserInformation instance = new UserInformation(); | | @Out(scope=ScopeType.SESSION, required=true) | private UserInformation User; | | @Factory("User") | @Begin(join=true) | public void createUser() { | | System.out.println(FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName()); | | String login = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName(); | System.out.println(login + " 1 " + entityManager); | User = (UserInformation)entityManager.createQuery("from UserInformation where login=:login") | .setParameter("login", login).getSingleResult(); | Authenticator.instance().authenticate(User.getLogin(), User.getPassword()); | Contexts.getSessionContext().set("loggedIn", true); | } | ... | ... | ... | web.xml security: | | <security-constraint> | <web-resource-collection> | <web-resource-name>simple</web-resource-name> | <url-pattern>/marktplatz/*</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>user</role-name> | </auth-constraint> | </security-constraint> | | <login-config> | <auth-method>FORM</auth-method> | <form-login-config> | <form-login-page>/login.jsf</form-login-page> | <form-error-page>/login.jsf</form-error-page> | </form-login-config> | </login-config> | | <welcome-file-list> | <welcome-file>/marktplatz/startpage.jsf</welcome-file> | <welcome-file>/index.html</welcome-file> | </welcome-file-list> | | | Note that /marktplatz is the secured area and there is not other area except for the login page, which resides inside the root folder of my web-app. Now my questions: 1.)Am I assuming correctly, that a Session is only created when the user has logged in successfully or have I just coded a HUGE security leak for my webapp? 2.) I tried using a custom principal class (UserInformation implements Principal) by specifying the principalClass option for my login module and it was used throughout the login process. however in my web app I always got a SimplePrincipal object, when doing | FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getClass().getName() | . Why was my custom principal class not propagated into the external context, but SimplePrincipal used instead? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3979570#3979570 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3979570 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user