java-ee-8custom-authenticationjava-security-manager

CustomAuthenticationMechanism obtains none callerGroups after called identityStoreHandler.validate


I am trying to create a custom authentication. When I I made a simple identityStore that validate every user as guest with rols AF_ADMIN and AF_USER.

CustomAuthenticationMechanism is called when login but the CredentialValidationResult from idStoreHandler have no callerGroups. So Login-public.xhtml says I don't have AF_ADMIN role.

Am I missing anything?

CustomAuthenticationMechanism

@AutoApplySession
@LoginToContinue
@ApplicationScoped
public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {

    @Inject
    private IdentityStoreHandler idStoreHandler;

    //@Override
    public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException {
        final String ticket = request.getParameter("ticket");

        if (ticket != null) {

            CredentialValidationResult result = idStoreHandler.validate(new UsernamePasswordCredential(ticket, Arrays.toString("LOGIN_PASSWORD")));

            if (result.getStatus() == VALID) {
                return httpMessageContext.notifyContainerAboutLogin(result);
            } else {
                return httpMessageContext.responseUnauthorized();
            }
        }

        return httpMessageContext.doNothing();
    }

}

login-public.xhtml

...
<h1>Public</h1>
<div class="alert alert-danger" role="alert">
    #{myBean.initBean()}
    <h:outputText value="inRole(AF_ADMIN): #{request.isUserInRole('AF_ADMIN')}"/><br/>
    <h:outputText value="requestURL: #{request.requestURL}"/><br/>
    <h:outputText value="headerNames: #{request.headerNames}"/><br/>
    #{requestScope['javax.servlet.error.status_code']}
    #{requestScope['javax.servlet.error.message']}<br/>
    #{messages['error.inesperat']}
</div>
...
    

login-private.xhtml

...
<h1>Public</h1>
<div class="alert alert-danger" role="alert">
    #{myBean.initBean()}
    <h:outputText value="inRole(AF_ADMIN): #{request.isUserInRole('AF_ADMIN')}"/><br/>
    <h:outputText value="requestURL: #{request.requestURL}"/><br/>
    <h:outputText value="headerNames: #{request.headerNames}"/><br/>
    #{requestScope['javax.servlet.error.status_code']}
    #{requestScope['javax.servlet.error.message']}<br/>
    #{messages['error.inesperat']}
</div>
...

MyLoginIdentityStory

@ApplicationScoped
public class MyLoginIdentityStore implements IdentityStore {

    private static final Logger log = LoggerFactory.getLogger(LoginIBIdentityStore.class);
    public static final String USER = "user";

    @Inject
    HttpServletRequest request;

    @Inject
    UsuariServiceable userSvc;

    @Override
    public int priority() {
        return 1;
    }

    @Override
    public Set<ValidationType> validationTypes() {
        return EnumSet.of(ValidationType.VALIDATE);
    }

    public CredentialValidationResult validate(UsernamePasswordCredential credential) {
        return new CredentialValidationResult("guest", new HashSet<>(Arrays.asList("AF_ADMIN","AF_USER")));
    }

    @Override
    public Set<String> getCallerGroups(CredentialValidationResult validationResult) {
        return IdentityStore.super.getCallerGroups(validationResult);
    }
}

web.xml

...
<security-constraint>
    <display-name>app_public</display-name>
    <web-resource-collection>
        <web-resource-name>app_public</web-resource-name>
        <url-pattern>/error.xhtml</url-pattern>
        <url-pattern>/login</url-pattern>
        <url-pattern>/login.xhtml</url-pattern>
        <url-pattern>/login-public.xhtml</url-pattern>
        <url-pattern>/resources/**</url-pattern>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
</security-constraint>

<security-constraint>
    <display-name>app</display-name>

    <web-resource-collection>
        <web-resource-name>accfor_auth</web-resource-name>
        <description>paginas que requieren autentificacion</description>
        <url-pattern>/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>

    <auth-constraint>
        <description>Acceso a accfor</description>
        <role-name>AF_ADMIN</role-name>
    </auth-constraint>

</security-constraint>
...

Solution

  • Default validationTypes() methods return VALIDATE and PROVIDE_GROUPS.

    The problem was the overridden validation types method that only returned validation and it doesn't return provide groups.

    @Override
    public Set<ValidationType> validationTypes() {
        return EnumSet.of(ValidationType.VALIDATE, ValidationType.PROVIDE_GROUPS);
    }