1

I know it's not the way it's meant to be and it's totally wrong, but orders are orders, I need to do the following: The user access the servlet with the accesskey on the parameters, like this:

http://myhost/my_app/servlet?accesskey=XXXXX

The servlet then gets the key and authenticate the user on seam with it, is it possible? I couldn't manage to do it so far

2 Answers2

1

This code in your servlet should make you able to access your seam components. 

Lifecycle.beginCall();

Authenticator authenticator = (Authenticator)Component.getInstance("authenticator");

LifeCycle.endCall();
Trind
  • 1,583
  • 4
  • 18
  • 38
  • Which package is LifeCycle from? the only packages that do have that class are org.jboss.seam.contexts, javax.faces.lifecycle and org.hibernate.classic, none of them have the Begin method that you used above, which package did you use on your code ? Also, how should I authenticate using your code? I already got the parameter from the GET, but how should i pass it to the Authenticator password variable and authenticate() ? –  Sep 04 '12 at 11:21
  • Trind could you please answer ? –  Sep 05 '12 at 14:29
  • Sorry it is begincCall not just begin – Trind Sep 10 '12 at 06:14
1

From your question it is not clear if you are required to create a custom servlet or you just need to make login based on a request parameter. The main difference is that a custom servlet is not intercepted by Seam and you cannot use components unless you manually start a seam lifecycle (as noted by Trind, you need to use LifeCycle.beginCall() and LifeCycle.endCall() to be able to use Seam components when calling from outside SeamFilter). Other than that, the two solutions work similarly.

Create a component that will handle authentication:

@Name("myAuthenticator")
public class MyAuthenticator implements Serializable {

    // Seam's identity component
    @In private transient Identity identity;

    // When logged in, the user needs to have some roles, usually
    // you assign these dynamically based on user name, type, etc., here
    // I just initialize it to a fixed list of roles
    ArrayList<String> roles = new ArrayList<String>(Arrays.toList(
            new String[] { "base", "admin" }));

    // Access key (getters and setters omitted but are necessary)
    private String accessKey;

    public String doAuth() {
        // Check accessKey validity (against an SSO service or 
        // in your DB or whatever), here we do a trivial check.
        boolean userCanAccess = "ADMINKEY".equals(accessKey);

        if (userCanAccess) {
            identity.acceptExternallyAuthenticatedPrincipal(
                    new SimplePrincipal("username"));

            // Assign user roles
            for (String role : roles) {
                identity.addRole(role);
            }
            return "ok";
        }
        return "ko";
    }
}

Now create a login page descriptor that will handle login via the parameter (say externalLogin.page.xml, you don't need to create an .xhtml page for this):

<page>
    <!-- this sets the accessKey variable with the query parameter -->
    <param name="accessKey" value="#{myAuthenticator.accessKey}" />

    <!-- this invokes our authentication action -->
    <action execute="#{myAuthenticator.doAuth}" />

    <!-- navigation rules, these determine what to do if auth is ok or fails -->
    <navigation from-action="#{myAuthenticator.doAuth}">
        <rule if-outcome="ko">
            <redirect view-id="/error.xhtml">
                <message severity="ERROR">Invalid Authentication Key</message>
            </redirect>
        </rule>
        <rule if-outcome="ok">
            <redirect view-id="/home.xhtml">
                <message severity="INFO">Welcome!</message>
            </redirect>
        </rule>
    </navigation>
</page>

Now to perform login you can use that page, like so:

http://localhost:8080/yourapp/externalLogin.seam?accessKey=XXXXXXXX

If you need to use a custom servlet (very unlikely, but nevertheless), the above component does not change, just call it from within the servlet like this:

public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    // Start Seam lifecycle
    LifeCycle.beginCall();
    // Get an instance of the authenticator component from Seam
    MyAuthenticator auth = Component.getInstance("myAuthenticator");
    // Set access key in component and perform auth
    auth.setAccessKey(req.getParameter("accessKey"));
    String result = auth.doAuth();
    // End Seam lifecycle, no more component calls are needed.
    LifeCycle.endCall();

    // Do something here with the result
    if ("ok".equals(result)) {
        resp.sendRedirect(...);
    }
}
EmirCalabuch
  • 4,756
  • 1
  • 25
  • 20
  • If i choose to use my existing authenticate method with the first way you showed me, will it work ? I'm using a tutorial-based Authenticator: `http://pastebin.com/mZHNT8kP` –  Sep 10 '12 at 16:17
  • The short answer is no, the "standard" authenticator does not actually perform authentication, it just returns a boolean stating if the user should authenticate or not. The authenticator code I gave you performs actual authentication (the `identity.acceptExternallyAuthenticatedPrincipal()` call). – EmirCalabuch Sep 10 '12 at 16:21