geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: How to use JAAS with JSF , best practice
Date Wed, 26 Mar 2008 17:20:01 GMT

On Mar 26, 2008, at 9:00 AM, rbaumhof wrote:

> The workflow of the application should be the following:
> login.jsp:
>  user enters userid and password and presses the login button
> then:
>  someone (j_security_check) checks that this is a valid user. If  
> user and
> password are valid the groups of
>  the users are loaded. If the user belongs only to one group (i.e.
> administrator) then the
>  welcome page with (administration) menue is displayed.
>  If the user belongs to more then one group (i.e. local- 
> administrator and
> application-user)
>  then:
>    selectRole.jsp is displayed.
>    Here a listbox should be displayed where he can select the role.
> Now, when i describe the workflow, i see that this can not be done by
> servlet authentication mechanism. I think we must  write our own  
> filter to
> watch the requested pages.
> Thanks for your help!!

I can't think of any good way to do this within the servlet  
authentication mechanism right now either.  However, what you are  
trying to do is generally a requirement of role-based authorization  
systems with dynamic separation of duty constraints so I'm glad to  
see there is actually some demand for the feature.

I think it may be possible to develop what you want in the (new)  
JASPI spec which may be part of javaee 6 (I don't know one way or the  
other).  It provides for a multi-message conversation between the  
client and server to establish the clients identity.  It should be  
possible to write a jaspi provider that can after initial  
authentication ask for the desired role if there is more than one.

Geronimo doesn't implement jaspi yet but I'm hoping we can get to it  
this year.  If you want to contribute that would be great!  If you  
want to experiment with it I believe glassfish has an implementation:  
I don't know if any other app servers do.

david jencks

> djencks wrote:
>> This looks to me like a really useful use case and I hope we can
>> figure out a good solution quickly and document it.  I hope someone
>> who knows more about JSF than I can help or the "quickly" part is
>> unlikely :-)
>> On Mar 18, 2008, at 11:05 PM, Ralf Baumhof wrote:
>>> I have got an application where after a successful login the user
>>> maybe must select a role (the user may be an administrator and a
>>> standard user). So, a navigation to a role-selection-page must be
>>> performed. We are using JSF pages for the view component, so we
>>> have an easy and powerful navigation mechanism.
>> I've wondered about how to do stuff like this and have a couple
>> questions
>> - Does authenticating the user happen before or after the user
>> chooses the role they wish to be in?
>> - Is the user presented with a list of possible roles based on their
>> identity?
>> - How many web pages does this process take up?  E.g., is role
>> selection on the same page or a different page than filling in user/
>> credential info?
>>> From the web application security example (see http://
>>> we
>>> know a very good and easy way of using JAAS authentication with a
>>> geronimo security realm. This example uses standard servlet
>>> authentication procedure for login at web container. This procedure
>>> requires a simple html page with the j_security_check action. So,
>>> if we are using JSF pages we are loosing a lot of the powerful JSF
>>> navigation features. So my attempt was to use a JSF page with a JSF
>>> backing bean which performs the step by itself using the
>>> LoginContext.login("my-security-realm",myCallBackHandler) method.
>>> This also works fine, but the authentication is only done with the
>>> ejb container. Tomcat is not informed about the user login. So the
>>> secure pages are still restricted.
>> I think the reason this is tricky is that the javaee security model
>> has the container making the authentication and  access decisions in
>> container code that is accessed before the control gets to any user
>> code.
>> There is no provision for the user code to either help with container
>> managed authentication or authorization.  So, by the time control
>> gets to the code backing the jsf components, both authentication and
>> authorization should have taken place.
>> As a wild and unlikely idea, could some of the JSF component code
>> forward an appropriately munged request to the j_security_check  
>> stuff?
>> You might try the geronimo-specific ContextManager.login method which
>> will at least engage geronimo's security framework.  I don't think it
>> will work though for repeated requests as I don't see any way for
>> tomcat to recognize that the next request is from the same user.
>> It might also be possible to fish around inside tomcat to get the
>> Authenticator and use that instead of ContextManager.login.  Since
>> this is what tomcat does anyway this should install the stuff tomcat
>> uses to track the user.
>> It might also be possible to do something elegant in the new and not-
>> in-geronimo-yet jaspi spec.
>> Does the jsf spec have anything to say about this?
>> thanks
>> david jencks
>>> Does anybody know a better way of integrating JAAS with JSF with
>>> the purpose of not loosing the JSF navigation features??
>>> Thanks in advance!!
>>> ____________________________________________________________________ 
>>> _
>>> Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu  
>>> sparen!
> -- 
> View this message in context: 
> with-JSF-%2C-best-practice-tp16137644s134p16304268.html
> Sent from the Apache Geronimo - Users mailing list archive at  

View raw message