Thursday, February 7, 2008

Intro to JBoss Seam Security, Part 2 - Advanced Authentication

In my last post, I gave a brief introduction into how JBoss Seam handles user authentication for web applications. By simply creating an authenticator class, it is possible to handle login/logout events for your application. Seam's ability to inject an identity object means that a user's identity can be accessed wherever necessary.

This method works great for simple use cases. But, what if you need more advanced functionality? The ability to enable/disable an account; the ability to manage account creation; the ability to add or remove a role programmatically. Suddenly, there is a lot more code necessary for our application to function appropriately. Thankfully, Seam has an answer to this problem.

The IdentityStore interface defines the methods for creating accounts, changing passwords, and many other account lifecycle functions. By implementing this interface and its corresponding methods, it is possible to hook into existing authentication stores, such as LDAP, and still be able to manage the account via an administrative interface.

Seam also provides a sample implementation that can be used to store accounts and roles in a database, JpaIdentityStore. The JpaIdentityStore class makes use of the Java Persistence API for storing account and role objects in a SQL database. In order to make use of the IdentityStore implementation, we need to tell Seam that we will be using it. In addition, we need to define the class that will be used as our account model object. To do this, we need to add the following line to our components.xml file:

<identity-management:jpa-identity-store name="identityStore" account-class="com.myapp.UserAccountModel"/>

As you can see, we have defined our account model as com.myapp.UserAccountModel. All that is needed is to implement this object and add the appropriate annotations so that JpaIdentityStore is able to make use of our data model.

The IdentityStore interface is simple enough that it can be implemented in a matter of hours. Whether you want to use JNDI, Kerberos, or a custom authentication method, it is simple to get up and running quickly. For more information on the IdentityStore and identity management APIs provided by Seam, take a look at this section in the documentation.

Next time, we'll take a further look at JpaIdentityStore and how to setup and configure it to work with your existing SQL table schema.


jdmr said...

I've tried what's in the doco and in the seamspace demo, but I can't seem to make it work... I've tried to enable more logs to see what's happening but at not avail.. What exactly do I need to check in a newly created app using seam-gen?


jdmr said...

Never mind, I had the hashed password value wrong...

WeiLing said...


Great article again!

I posted a comment on one of your other articles before asking for your permission to repost it on our website,

I'd like to ask your permission to repost this article as well.

Please shoot me an email at

Wei Ling Chen
Community Content Coordinator, DZone, Inc.