Thursday, May 28, 2009

seamy photo gallery, writing an authentication filter (part 5)

On the 4th part I used an simple authentication filter, to secure my urls, that come out of the box. It only supported basic & digest authentication. With basic authentication what you get is a ugly browser dependent box which asks the credentials of the user. On IE its like:
Instead of that I wanted the user to use the login page which I created. In order to do that I first removed basic authentication filter component and started coding mine :
@Install(precedence = Install.DEPLOYMENT)
@Filter(within = "org.jboss.seam.web.exceptionFilter")
public class CustomAuthenticationFilter extends AbstractFilter {
protected Log log;

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
if (!(request instanceof HttpServletRequest)) {
throw new ServletException("This filter can only process HttpServletRequest requests");

HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
Context ctx = new SessionContext(new ServletRequestSessionMap(httpRequest));
Identity identity = (Identity) ctx.get(Identity.class);
if (identity.isLoggedIn()) {
chain.doFilter(request, response);
else {
// go login than come back
+ httpRequest.getRequestURL());


public void init(FilterConfig filterConfig) throws ServletException {
Seam handles the creation and order of the filters with the help of @Filter annotation. Instead of adding web.xml entries we annotate our filters and specify where they should be in the filter chain. 
I have extended my filter from the seam AbstractFilter class and on the init method I setted the url pattern which the filter mappes to. 
On the doFilter method first thing to do is try to see if the user is already logged in. We have to access the Identity component but seams injections mechanism does not work with the filters. So instead of injecting you have to create a context (and such) to access the Identity component.
Once we have the Identity component we see if the user is already logged in. If so we proceed with the rest of the chain if not we redirect to our custom login page and pass the original page that the user tried to access with a request parameter that I named serviceUrl.
Once the user successfully logs in we need to redirect the user to original resouce pointed by the serviceUrl. To do that I wrote a Listener class which will fire after the user successfully logs in :
public class LoginRedirectListener {
private String serviceUrl;

public void postAuthentication() throws IOException {
if (serviceUrl != null && serviceUrl.length() > 0) {
The good old observer pattern is implement with annotations on seam. Here using the @Observer annotation we get notified of authentication event end redirect to the serviceUrl if there is one. I have created it as a session bean so that each user will his own serviceUrl. One last thing to do is injecting the serviceUrl parameter to my listener which is done through pages.xml:
<page view-id="/login.xhtml">
<rewrite pattern="/login" />
<param name="serviceUrl" value="#{loginRedirect.serviceUrl}"/>
Thats all there is...

No comments:

Post a Comment