geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: How to use JAAS with JSF , best practice
Date Wed, 19 Mar 2008 16:42:34 GMT
This looks to me like a really useful use case and I hope we can  
figure out a good solution quickly and document it.  I hope someone  
who knows more about JSF than I can help or the "quickly" part is  
unlikely :-)

On Mar 18, 2008, at 11:05 PM, Ralf Baumhof wrote:

> I have got an application where after a successful login the user  
> maybe must select a role (the user may be an administrator and a  
> standard user). So, a navigation to a role-selection-page must be  
> performed. We are using JSF pages for the view component, so we  
> have an easy and powerful navigation mechanism.

I've wondered about how to do stuff like this and have a couple  
- Does authenticating the user happen before or after the user  
chooses the role they wish to be in?
- Is the user presented with a list of possible roles based on their  
- How many web pages does this process take up?  E.g., is role  
selection on the same page or a different page than filling in user/  
credential info?

> From the web application security example (see http:// 
> we  
> know a very good and easy way of using JAAS authentication with a  
> geronimo security realm. This example uses standard servlet  
> authentication procedure for login at web container. This procedure  
> requires a simple html page with the j_security_check action. So,  
> if we are using JSF pages we are loosing a lot of the powerful JSF  
> navigation features. So my attempt was to use a JSF page with a JSF  
> backing bean which performs the step by itself using the  
> LoginContext.login("my-security-realm",myCallBackHandler) method.  
> This also works fine, but the authentication is only done with the  
> ejb container. Tomcat is not informed about the user login. So the  
> secure pages are still restricted.

I think the reason this is tricky is that the javaee security model  
has the container making the authentication and  access decisions in  
container code that is accessed before the control gets to any user  
There is no provision for the user code to either help with container  
managed authentication or authorization.  So, by the time control  
gets to the code backing the jsf components, both authentication and  
authorization should have taken place.

As a wild and unlikely idea, could some of the JSF component code  
forward an appropriately munged request to the j_security_check stuff?

You might try the geronimo-specific ContextManager.login method which  
will at least engage geronimo's security framework.  I don't think it  
will work though for repeated requests as I don't see any way for  
tomcat to recognize that the next request is from the same user.

It might also be possible to fish around inside tomcat to get the  
Authenticator and use that instead of ContextManager.login.  Since  
this is what tomcat does anyway this should install the stuff tomcat  
uses to track the user.

It might also be possible to do something elegant in the new and not- 
in-geronimo-yet jaspi spec.

Does the jsf spec have anything to say about this?

david jencks

> Does anybody know a better way of integrating JAAS with JSF with  
> the purpose of not loosing the JSF navigation features??
> Thanks in advance!!
> _____________________________________________________________________
> Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!

View raw message