voyent
Problem using JAAS security-constraint with the IceFaces renderedOnRole-Tag  XML
Forum Index -> General Help
Author Message
stni

Joined: 09/Nov/2007 00:00:00
Messages: 9
Offline


Using IceFaces 1.6.1 with Glassfish 9.1, I want to make use of the "renderedOnRole" tags of the IceFaces-Components. But I'm running into some serious problems and I wanted to know, if my concept has a general problem:

I build up a Test-Project derived from the Auction-Monitor Sample. To make use of the native JAAS in the Application-Server, I set up a security-constraint with a "FORM" login-config (see attached web.xml below). The security-contraint seems to work.
I wrote a simple page with a button, which only increments a counter, and an outputText:
Code:
<ice:outputText renderedOnUserRole="AdminRole" value="User fulfills AdminRole" />

For logging purposes I am also checking in the backing bean:
Code:
PersistentFacesState.getInstance().getFacesContext().getExternalContext().isUserInRole("AdminRote")

and
Code:
PersistentFacesState.getInstance().getFacesContext().getExternalContext().getRemoteUser()


After successfully authenticating as user having die Role "AdminRole", the Glassfish Serverlog says
Code:
[#|INFO|sun-appserver9.1|javax.enterprise.system.container.web|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8080-0;
 |Unable to find a <servlet-name> element which map: /TestProject/block/send-receive-updates|#]

but the outputText is rendered correctly.

When hitting the button several times, at nearly every second time, the above mentioned outputText does not appear at all, the isUserInRole("AdminRote") Method returns false but the getRemoteUser() Method still returns the correct username.

It looks to me, that there is a big problem in my setup. I am using JAAS, since I want to implement my own Realm (accessing Entities through the JPA) and make use of com.sun.appserv.security.ProgrammaticLogin. Does anyone has an idea, where the problem might be?
I attached the web.xml and the faces-config.xml below.

web.xml:
Code:
 <web-app>
 
    <display-name>IceFaceTestCircuit</display-name>
 
     <context-param>
         <param-name>com.icesoft.faces.debugDOMUpdate</param-name>
         <param-value>false</param-value>
     </context-param>
 
     <context-param>
         <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
         <param-value>server</param-value>
         <description>
             State saving method: "client" or "server" (= default)
             See JSF Specification 2.5.2
         </description>
     </context-param>
     
     <context-param>
         <param-name>com.icesoft.faces.uploadDirectory</param-name>
         <param-value>upload</param-value>
     </context-param>
     
     <!-- concurrent DOM views -->
     <context-param>
         <param-name>com.icesoft.faces.concurrentDOMViews</param-name>
         <param-value>false</param-value>
     </context-param>
     <!-- Asynchronous Updates -->
     <context-param>
         <param-name>com.icesoft.faces.synchronousUpdate</param-name>
         <param-value>false</param-value>
     </context-param>
     
     <context-param>
 		<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
 		<param-value>.xhtml</param-value>
 	</context-param>
     
     <listener>
         <listener-class>com.icesoft.faces.util.event.servlet.ContextEventRepeater</listener-class>
     </listener>
     
     <!-- Source Code reader servlet-->
     <servlet>
         <servlet-name>SourceCode Reader</servlet-name>
         <servlet-class>com.icesoft.icefaces.samples.showcase.util.SourceCodeLoaderServlet</servlet-class>
     </servlet>
     
     <!-- file upload Servlet -->
     <servlet>
          <servlet-name>uploadServlet</servlet-name>
          <servlet-class>com.icesoft.faces.component.inputfile.FileUploadServlet</servlet-class>
          <load-on-startup> 1 </load-on-startup>
     </servlet>
      
    
     <!-- Faces Servlet -->
     <servlet>
         <servlet-name>Faces Servlet</servlet-name>
         <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
         <load-on-startup>1</load-on-startup>
     </servlet>
 
     <servlet>
         <servlet-name>Persistent Faces Servlet</servlet-name>
         <servlet-class>com.icesoft.faces.webapp.xmlhttp.PersistentFacesServlet</servlet-class>
         <load-on-startup> 1 </load-on-startup>
     </servlet>
 
     <servlet>
         <servlet-name>Blocking Servlet</servlet-name>
         <servlet-class>com.icesoft.faces.webapp.xmlhttp.BlockingServlet</servlet-class>
         <load-on-startup> 1 </load-on-startup>
     </servlet>
     
    <!-- extension mapping -->
     
 	<servlet-mapping>
          <servlet-name>uploadServlet</servlet-name>
          <url-pattern>/uploadHtml</url-pattern>
     </servlet-mapping>   
 	
     <servlet-mapping>
         <servlet-name>Persistent Faces Servlet</servlet-name>
         <url-pattern>*.iface</url-pattern>
     </servlet-mapping>
 
     <servlet-mapping>
         <servlet-name>Persistent Faces Servlet</servlet-name>
         <url-pattern>/xmlhttp/*</url-pattern>
     </servlet-mapping>
 
     <servlet-mapping>
         <servlet-name>Blocking Servlet</servlet-name>
         <url-pattern>/block/*</url-pattern>
     </servlet-mapping>
     
     <servlet-mapping>
         <servlet-name>SourceCode Reader</servlet-name>
         <url-pattern>/sourcecodeStream.html</url-pattern>
     </servlet-mapping>
 
     <session-config>
       <session-timeout>30</session-timeout>
     </session-config>
     
     <!-- Welcome files -->
     <welcome-file-list>    
         <welcome-file>index.jsp</welcome-file>
         <welcome-file>index.html</welcome-file>
     </welcome-file-list>
 
     <security-constraint>
     	<web-resource-collection>
     		<web-resource-name>Admin Constraint</web-resource-name>
     		<url-pattern>/*</url-pattern>
     	</web-resource-collection>
     	<auth-constraint>
     		<role-name>AdminRole</role-name>
     	</auth-constraint>
     	<user-data-constraint>
     	 	<transport-guarantee>NONE</transport-guarantee>
     	</user-data-constraint>
     </security-constraint>
     <login-config>
     	<auth-method>FORM</auth-method>
     	<realm-name>file</realm-name>
     	<form-login-config>
     		<form-login-page>/admin/login.jsp</form-login-page>
     		<form-error-page>/admin/loginError.jsp</form-error-page>
     	</form-login-config>
     </login-config>
     
 	<!-- All Roles -->
     <security-role>
     	<description></description>
    		<role-name>AdminRole</role-name>
     </security-role>
     <security-role>
     	<description></description>
    		<role-name>WebmasterRole</role-name>
     </security-role>
 </web-app>
 



faces-config.xml:
Code:
 <faces-config xmlns="http://java.sun.com/JSF/Configuration">
 
 	<application>
 		<view-handler>
 			com.icesoft.faces.facelets.D2DFaceletViewHandler
 		</view-handler>
 		<locale-config>
 			<default-locale>en</default-locale>
 			<supported-locale>en</supported-locale>
 			<supported-locale>de</supported-locale>
 		</locale-config>
 	</application>
 	
 	<managed-bean>
 		<description>
 			Manages render calls to the Faces Context.
 		</description>
 		<managed-bean-name>RenderManager</managed-bean-name>
 		<managed-bean-class>
 			com.icesoft.faces.async.render.RenderManager
 		</managed-bean-class>
 		<managed-bean-scope>application</managed-bean-scope>
 	</managed-bean>
 
     <managed-bean>
 		<managed-bean-name>LoginBean</managed-bean-name>
 		<managed-bean-class>
 			de.testProject.loginPage.beans.LoginBean
 		</managed-bean-class>
 		<managed-bean-scope>session</managed-bean-scope>
 	</managed-bean>
 </faces-config>
 


philip.breau


Joined: 08/May/2006 00:00:00
Messages: 2989
Offline


Hi,

The problem for you may be that we don't really support JAAS alone when using AJAX Push. For this you have to also use Acegi security. We rely on Acegi to access security credentials during server-initiated rendering, which may not have access directly through the request object at that time.

Thanks,
Philip

.
melhe

Joined: 18/Sep/2007 00:00:00
Messages: 1
Offline


I also tried using the ProgrammaticLogin but don't think it can be used together with the Ice servlets.

I'm not 100% sure but I think that the ProgrammaticLogin class requires "javax.faces.webapp.FacesServlet".
asherwin

Joined: 27/Jun/2008 00:00:00
Messages: 108
Offline


I use JAAS without issues (but do not use server push) in Glassfish.

If you can find a way that can reliably check the role on the server side, ditch the renderedOnRole attribute and use the rendered attribute with a custom "Filter Map"

What I mean by this is do something like:

rendered="#{Security.hasRole['AdminRole']}"

Where Security is a manged bean that has a member named "hasRole" which is of type Map<String, String>(), that is implemented with a custom Map extended class which you override the get method.

Sounds complex, but its really pretty simple, and what you end up getting is the ability to pass through an argument ("AdminRole") into custom backing bean handler and be able to "filter" the response. I use this approach for all types of things... it's pretty useful.

An example of the Map you might implement would be like:
Code:
public final class ExampleFilterMap<K, V> extends HashMap<K, V> {
 
   private static final long serialVersionUID = 1L;
 
   public ExampleFilterMap() {
     super();
   }
 
   public ExampleFilterMap(final Map<? extends K, ? extends V> m) {
     super(m);
   }
 
   @Override
 
   public V get(final Object key) {
     // Check for role
     return (V) Boolean.toString(true);
   }
 }




stevideter

Joined: 04/Aug/2008 00:00:00
Messages: 5
Offline


asherwin,

Many thanks for your post. It finally gave me a very simple solution to the renderedOnUserRole which I'd spent far too long beating my head against, trying to find a listener or filter to work around.

 
Forum Index -> General Help
Go to:   
Powered by JForum 2.1.7ice © JForum Team