3

I have a JSF application running on glassfish 2.1 with a EJB 3 backend. For authentication I use a custom realm. The user authenticates using the e-mail-address and password he specified on registration. Everything is working quite well.

Now I have two related problems:

1) The user can edit his profile and -- naturally -- he can also change his e-mail-address. Unfortunately when I perform operations based on the current user's identity using ExternalContext.getUserPrincipal().getName(), I will receive the previous e-mail-address the user used on login. At the moment I handle this by forcing the user to reauthenticate after he changed his e-mail-address, but is there another more graceful possibility?

2) Same for user roles. E.g. I have the user roles MEMBER and PREMIUM_MEMBER. A MEMBER may become a PREMIUM_MEMBER during his current session. Unfortunately the role seems to be only determined at login. Is there any possibility, that JSF and EJB recognize the new user role without the need for the user to re-authenticated?

sven
  • 4,100
  • 30
  • 32
  • JEE security model suck as soon as you need something a bit dynamic. Maybe this question will help "dynamic roles on a Java EE server" http://stackoverflow.com/questions/2230717/dynamic-roles-on-a-java-ee-server/2231079#2231079. I don't think point 2) is possible. – ewernli Mar 23 '10 at 07:54
  • I've created https://java.net/jira/browse/JASPIC_SPEC-22 in support of this issue. Hopefully this can be addressed in a future version of Java EE. – Arjan Tijms May 04 '13 at 18:37

1 Answers1

1

Consider using Seam with JSF. There you can change the logged in users credentials without needing to re-login.

Shervin Asgari
  • 22,044
  • 28
  • 92
  • 138
  • 1) Have you any link to the Seam documentation where this is described? 2) Will Seam introduce a completely new authorization/authentication framework to my application or will it provide the dynamic feature on top of JEE authorization/authentication? – sven Mar 24 '10 at 09:15
  • It uses features on top of JEE. There is no documentation that describes that you can change logged in user's credentials. However, here is some documentation on authentication: http://docs.jboss.org/seam/2.2.1.CR1/reference/en-US/html_single/#d0e8712 The Security chapter is a good place to start though: http://docs.jboss.org/seam/2.2.1.CR1/reference/en-US/html_single/#security When it comes to your second question about roles, then most likely a re-login is required, although the API might support rasing an event changing the roles of a user. It wouldn't surprise me if it was possible. – Shervin Asgari Mar 24 '10 at 10:31