tags:

views:

43

answers:

1
+2  Q: 

How to handle dynamic role or username changes in JSF?

I have a JSF application running on glassfish 2.1 with a EJB 3 backend. For authentication I use a custom realm. The user authenticates using the e-mail-address and password he specified on registration. Everything is working quite well.

Now I have two related problems:

1) The user can edit his profile and -- naturally -- he can also change his e-mail-address. Unfortunately when I perform operations based on the current user's identity using ExternalContext.getUserPrincipal().getName(), I will receive the previous e-mail-address the user used on login. At the moment I handle this by forcing the user to reauthenticate after he changed his e-mail-address, but is there another more graceful possibility?

2) Same for user roles. E.g. I have the user roles MEMBER and PREMIUM_MEMBER. A MEMBER may become a PREMIUM_MEMBER during his current session. Unfortunately the role seems to be only determined at login. Is there any possibility, that JSF and EJB recognize the new user role without the need for the user to re-authenticated?

+1  A: 

Consider using Seam with JSF. There you can change the logged in users credentials without needing to re-login.

Shervin  2010-03-23 08:50:38
1) Have you any link to the Seam documentation where this is described?2) Will Seam introduce a completely new authorization/authentication framework to my application or will it provide the dynamic feature on top of JEE authorization/authentication?
sven  2010-03-24 09:15:08
It uses features on top of JEE. There is no documentation that describes that you can change logged in user's credentials. However, here is some documentation on authentication: http://docs.jboss.org/seam/2.2.1.CR1/reference/en-US/html_single/#d0e8712The Security chapter is a good place to start though: http://docs.jboss.org/seam/2.2.1.CR1/reference/en-US/html_single/#securityWhen it comes to your second question about roles, then most likely a re-login is required, although the API might support rasing an event changing the roles of a user. It wouldn't surprise me if it was possible.
Shervin  2010-03-24 10:31:27

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication