Programmatically add roles after authentication

java jsf authentication glassfish-3
Coen Damen picture Coen Damen · Jan 31, 2012 · Viewed 17.9k times · Source

I have the following JSF 2.1 login form, running in Glassfish 3.1

<h:form id="loginForm">
        <h:panelGrid columns="2" cellspacing="5">
            <h:outputText value="Username" />
            <h:inputText value="#{loginHandler.username}" />
            <h:outputText value="Password:" />
            <h:inputText value="#{loginHandler.password}" />
            <h:outputLabel value="" />
            <h:commandButton value="Login" action="#{loginHandler.login}" />
        </h:panelGrid>
    </h:form>

And the following backing bean.

public String login() throws IOException, LoginException {

    log.debug("Trying to login with username " + username);

    HttpSession session = getRequest().getSession(true);

    try {
        getRequest().login(username, password);

        // if OK, add Roles
                    ????????
                    ...................

    } catch (ServletException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }


    log.debug("USER principal === " + getRequest().getUserPrincipal());

    return "home";
}

The question is, how can I add roles programmatically to the UserPrincipal after successful login?

Update 1: I tried to get the Subject by using the following code but subject == null.

Subject thisSubject = Subject.getSubject(AccessController
                .getContext());

Thanks, Coen

Answer

SvdB picture SvdB · Jul 11, 2012

I came up with the following solution to add roles programmatically after login, which works at least on GlassFish 3.1.2 build 23.

import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.web.integration.PrincipalGroupFactory;
import java.security.Principal;
import java.util.Set;
import javax.security.auth.Subject;
import org.glassfish.security.common.Group;

public class GlassFishUtils {
    public static void addGroupToCurrentUser(String groupName, String realmName) {
        Subject subject = SecurityContext.getCurrent().getSubject();
        Set<Principal> principals = subject.getPrincipals();
        Group group = PrincipalGroupFactory.getGroupInstance(groupName, realmName);
        if (!principals.contains(group))
            principals.add(group);
    }
}

You will need to add security.jar and common-util.jar from GlassFish to your project libraries.

And don't forget to create a <security-role> section in your web.xml for the roles you wish to add.

Note that I am using functionality which does not appear to be part of a published stable API, so there is no guarantee that this will keep working in future releases of GlassFish.

I got the information on how to add roles from the source code of sun.appserv.security.AppservPasswordLoginModule.commit() of GlassFish. If a future GlassFish release breaks my code, this function would be a good place to start in order to find out how to fix it.

Related questions

JSF authentication and authorization

What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal. I realize form-based authentication is …

Read More
What is the difference between JSF, Servlet and JSP?

I have some questions. These are : How are JSP and Servlet related to each other? Is JSP some kind of Servlet? How are JSP and JSF related to each other? Is JSF some kind of Pre-Build UI based JSP like …

Read More
How to make a redirection on page load in JSF 1.x

I have a web-application where the users can be sent directly to some specific pages (such as a page where he can view or edit an item). To achieve that, we provide a specific url. These urls are located outside …

Read More