JBoss Community Archive (Read Only)

RHQ 4.9

GWT User Session Management

As we're still in the process of migrating the JSF/struts components of RHQ to use GWT/SmartGWT, the following outlines the session management and user login/logout process in place while portal.war is still being used. The JAAS login process, leveraged by the jboss container in portal.war, is still being used on the server side even though the UI elements have been converted to SmartGWT.

Portal.war session review

The legacy struts login process is initiated by a regular form login request, triggering the AuthenticateUserAction.execute() action where:

  1. SubjectManagerBean.login(user,password) is called to get a valid subject.

  2. a new Http session instance is created

  3. a new WebUser is created based off the valid Subject

  4. the WebUser instance is stored in the session object.

The JAAS login process correctly handles authentication requests via JDBCLoginModule and LDAPLoginModule logic. See here for more details

Coregui.war session review

The coregui.war continues to use the portal.war session management mechanism described above. Migrating the login UI to GWT has the following additional side effects:

  • client side timer mechanism UserSessionManager.sessionTimer is required for responsive session monitoring behavior(Login dialog on session timeout)

  • asynchronous nature of GWT calls necessitates 'call-chaining' logic in UserSessionManager to achieve synchronous and serial order of operations for interactive login process.

  • greater security concerns for all login/session logic that now exists client side(ex. SubjectManagerBean.processSubjectForLdap()) as javascript only clients can and now initiate requests that were encapsulated server-side before.

During a typical login request to coregui the following steps occur:

  1. LoginView.login() is called to initiate a login request to the portal.war logic

  2. UserSessionManager.checkLoginStatus() is called to correctly process valid subject logins to portal war and correctly process requests to the SessionAccessServlet.

Diagram of Login logic including LDAP authz processing

images/www.rhq-project.org/download/attachments/11894862/updated-login-gwt-ldap-10-25-10.jpg

RHQ classes used in session/login management

These are classes that are involved in user session management for the user interface:

  • org.rhq.enterprise.gui.coregui.client.UserSessionManager

  • org.rhq.enterprise.gui.coregui.client.SearchGUI

  • org.rhq.enterprise.gui.coregui.client.LoginView

  • org.rhq.enterprise.gui.coregui.client.util.rpc.TrackingRemoteServiceProxy

  • org.rhq.enterprise.gui.coregui.client.util.preferences.UserPreferences

  • org.rhq.enterprise.gui.authentication.SessionAccessServlet

    • this is in portal-war

  • org.rhq.enterprise.gui.authentication.AuthenticateUserAction

    • this is in portal-war

  • org.rhq.enterprise.gui.legacy.WebUser

  • org.rhq.enterprise.server.auth.SubjectManagerBean

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-13 07:59:25 UTC, last content change 2013-09-18 19:41:30 UTC.