How to handle dynamic role or username changes in JSF? - McMap

About

How to handle dynamic role or username changes in JSF?

Asked 21/3, 2010 at 13:28 Answered 23/3, 2010 at 8:50

authentication jsf ejb-3.0 ejb

C

1

3

I have a JSF application running on glassfish 2.1 with a EJB 3 backend. For authentication I use a custom realm. The user authenticates using the e-mail-address and password he specified on registration. Everything is working quite well.

Now I have two related problems:

1) The user can edit his profile and -- naturally -- he can also change his e-mail-address. Unfortunately when I perform operations based on the current user's identity using ExternalContext.getUserPrincipal().getName(), I will receive the previous e-mail-address the user used on login. At the moment I handle this by forcing the user to reauthenticate after he changed his e-mail-address, but is there another more graceful possibility?

2) Same for user roles. E.g. I have the user roles MEMBER and PREMIUM_MEMBER. A MEMBER may become a PREMIUM_MEMBER during his current session. Unfortunately the role seems to be only determined at login. Is there any possibility, that JSF and EJB recognize the new user role without the need for the user to re-authenticated?

Councilwoman answered 21/3, 2010 at 13:28 Comment(2)

JEE security model suck as soon as you need something a bit dynamic. Maybe this question will help "dynamic roles on a Java EE server" #2231217. I don't think point 2) is possible. – Dualism 23/3, 2010 at 7:54

I've created java.net/jira/browse/JASPIC_SPEC-22 in support of this issue. Hopefully this can be addressed in a future version of Java EE. – Pontic 4/5, 2013 at 18:37

T

1

Consider using Seam with JSF. There you can change the logged in users credentials without needing to re-login.

Tractable answered 23/3, 2010 at 8:50 Comment(2)

1) Have you any link to the Seam documentation where this is described? 2) Will Seam introduce a completely new authorization/authentication framework to my application or will it provide the dynamic feature on top of JEE authorization/authentication? – Councilwoman 24/3, 2010 at 9:15

It uses features on top of JEE. There is no documentation that describes that you can change logged in user's credentials. However, here is some documentation on authentication: docs.jboss.org/seam/2.2.1.CR1/reference/en-US/html_single/… The Security chapter is a good place to start though: docs.jboss.org/seam/2.2.1.CR1/reference/en-US/html_single/… When it comes to your second question about roles, then most likely a re-login is required, although the API might support rasing an event changing the roles of a user. It wouldn't surprise me if it was possible. – Tractable 24/3, 2010 at 10:31

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.