Built with Seam
You can find the full source code for this website in the Seam package in the directory /examples/wiki. It is licensed under the LGPL.
| Online: | 11 Members of 4089 |
| Forum: Seam Users |
 |
06. Mar 2008, 09:27 CET | Link |
I'm trying to make Seam authenticate using my own realm.
I have set up the Realm in login-config.xml and mapped the Realm in Seam with:
<security:identity
authenticate-method="#{authenticator.authenticate}"
jaas-config-name="MyRealm"/>
so far so good.
When logging in with a correct username and password I am authenticated as expected as well as when issuing a bad username and password I am not.
But when issuing any username and an empty password I am always beeing authenticated.
Also a bit wierd is that as soon as some identity is accepted furher logins using Seam will always succeed (maybe just in the same session), no check is done against the JAAS Realm; as far as I can see with full debug trace on.
In the debugger I can see that only the expected Realm is used in the login process but it just ends with a success more often than I would like it to.
I could really use som guidance ...
What does your
method look like?
- Mike Rowe - Dirty Jobs
Blog: http://in.relation.to/Bloggers/Jay
I do not have one since I'm using the one Built into Seam.
I think I have found the main issue, there was an set in the JAAS configuration.
This made the Seam authentication succeed in the manner described above.
Do you mean the one that is in and/or some of the examples?
The default Authenticator lets everything though - there is not check at all. That would explain what you are seeing.
public class Authenticator { @Logger Log log; @In Identity identity; public boolean authenticate() { log.info("authenticating #0", identity.getUsername()); //write your authentication logic here, //return true if the authentication was //successful, false otherwise identity.addRole("admin"); return true; } }- Mike Rowe - Dirty Jobs
Blog: http://in.relation.to/Bloggers/Jay
This is controlled by the allowEmptyPasswords setting in the jboss login-config.xml - at least for the LdapLoginModule and the LdapExtLoginModule.
<application-policy name = "LdapToActiveDirectory"> <authentication\> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>...... <module-option name="allowEmptyPasswords">false</module-option> </login-module> </authentication> </application-policy>For more details, see the javadocs or the jbossas docs
Thanks, there's always one more setting ... ;-)