In-depth Explanation

What happens when you login?

The login page is defined using pure XHTML with JSF controls. The form uses JSF EL value binding and method binding expressions to refer to Seam components. For example, #{identity.username} refers to a property of the Identity component and #{identity.login} refers to a method of the Identity component.


<div>
    <h:outputLabel for="username">Login Name</h:outputLabel>
    <h:inputText id="username" value="#{identity.username}" />
</div>
<div>
    <h:outputLabel for="password">Password</h:outputLabel>
    <h:inputSecret id="password" value="#{identity.password}" />
</div>

... ...

<div class="buttonBox">
    <h:commandButton id="login"
                     action="#{identity.login}" 
                     value="Account Login" />
</div>

After logging in, the User enity bean is mapped to the Seam context variable named user bean via the @Name annotation. User is a session scoped bean, meaning that the user component value is retained for the entire session for each user. You might also notice there are validation annotation on the data properties. We will discuss those annotations in the next step.


@Entity
@Name("user")
@Scope(SESSION)
public class User implements Serializable {
   private String username;
   private String password;
   private String name;

   @NotNull
   @Length(min=5, max=15)
   public String getPassword() {
      return password;
   }
   public void setPassword(String password) {
      this.password = password;
   }
   
   @Id
   @Length(min=4, max=15)
   @Pattern(regex="^\\w*$", message="not a valid username")
   public String getUsername () {
      return username;
   }
   public void setUsername (String username) {
      this.username = username;
   }

    // ... ...
}

Seam comes with its own Security framework, based on JAAS. It allows you to perform user authentication by configuring your own authentication method in components.xml.


  <security:identity authenticate-method="#{authenticator.authenticate}"/>

AuthenticatorAction is an EJB 3.0 session bean mapped to the Seam context variable named authenticator. When the login button is clicked, the JSF method binding #{identity.login} is evaluated, and based upon the previous configuration, the authenticate() method is invoked upon AuthenticatorAction.


@Stateless
@Scope(EVENT)
@Name("authenticator")
public class AuthenticatorAction implements Authenticator
{
   @PersistenceContext EntityManager em;
   
   @Out(required=false, scope = SESSION)
   private User user;
   
   public boolean authenticate()
   {
      List results = em.createQuery("select u from User u where" + 
                                    " u.username=#{identity.username}" + 
                                    " and u.password=#{identity.password}")
                       .getResultList();
      
      if ( results.size()==0 )
      {
         return false;
      }
      else
      {
         user = (User) results.get(0);
         return true;
      }
   }
}

The @Out annotation indicates the AuthenticatorAction bean can change the value of the user context variable and make the new instance available to other session beans and JSF pages. The query expression makes use of a special syntax in Seam that allows EL expressions to serve as query parameters. This query references the identity component, a built-in Seam component that provides security functionality.