SeamFramework.orgCommunity Documentation

Chapter 36. Security - Events

36.1. Introduction
36.2. Event list
36.3. Usage Example

A number of CDI events are fired during the course of many security-related operations, allowing additional business logic to be executed in response to certain security events. This is useful if you would like to generate additional logging or auditing, or produce messages to display to the user.

The following table contains the list of event classes that may be fired by Seam Security, along with a description of when the event is fired. All event classes are contained in the package.

AlreadyLoggedInEventFired when a user who is already logged in attempts to log in again
AuthorizationCheckEventFired when an authorization check is performed, such as Identity.hasPermission().
CredentialsUpdatedEventFired whenever a user's credentials (such as their username or password) are updated.
DeferredAuthenticationEventFired when a deferred authentication occurs. For example, at the end of the OpenID authentication process when the OpenID provider redirects the user back to the application.
LoggedInEventFired when the user is successfully logged in.
LoginFailedEventFired when an authentication attempt by the user fails.
NotAuthorizedEventFired when the user is not authorized to invoke a particular operation.
NotLoggedInEventFired when the user attempts to invoke a privileged operation before they have authenticated.
PreAuthenticateEventFired just before a user is authenticated
PostAuthenticateEventFired after a user has authenticated successfully.
PreLoggedOutEventFired just before a user is logged out.
PostLoggedOutEventFired after a user has logged out.
PrePersistUserEventFired just before a new user is persisted (when using Identity Management).
PrePersistUserRoleEventFired just before a new user role is persisted (when using Identity Management).
QuietLoginEventFired when a user is quietly authenticated.
SessionInvalidatedEventFired when a user's session is invalidated.
UserAuthenticatedEventFired when a user is authenticated.

The following code listing shows the SecurityEventMessages class, from the Seam Security implementation library. This class (which is disabled by default due to the @Veto annotation) uses the Messages API from Seam International to generate user-facing messages in response to certain security events.


import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.event.Observes;

import org.jboss.solder.core.Requires;
import org.jboss.solder.core.Veto;

public @ApplicationScoped @Veto @Requires("")
class SecurityEventMessages {
    private static final String DEFAULT_LOGIN_FAILED_MESSAGE = "Login failed - please check your username and password before trying again.";
    private static final String DEFAULT_LOGIN_SUCCESSFUL_MESSAGE = "Welcome, {0}.";
    private static final String DEFAULT_ALREADY_LOGGED_IN_MESSAGE = "You're already logged in. Please log out first if you wish to log in again.";
    private static final String DEFAULT_NOT_LOGGED_IN_MESSAGE = "Please log in first.";

    public void postAuthenticate(@Observes PostAuthenticateEvent event, Messages messages, Identity identity) {, identity.getUser().getId());

    public void addLoginFailedMessage(@Observes LoginFailedEvent event, Messages messages) {

    public void addLoginSuccessMessage(@Observes LoggedInEvent event, Messages messages, Credentials credentials) {, credentials.getUsername());

    public void addAlreadyLoggedInMessage(@Observes AlreadyLoggedInEvent event, Messages messages) {

    public void addNotLoggedInMessage(@Observes NotLoggedInEvent event, Messages messages) {