Programmatically add roles after authentication

Question

I have the following JSF 2.1 login form, running in Glassfish 3.1

Answer 1

OK, i have figured out a workaround, which is not 100% correct in my point of view but suggestions are welcome :)

public void login() throws IOException, LoginException {

    log.debug("Trying to login with username " + username);

    try {
        getRequest().login(username, password);

        HttpSession session = getRequest().getSession(true);
        Subject subject = (Subject) session
                .getAttribute("javax.security.auth.subject");

        if (subject == null) {

            log.debug("Subject is null, creating new one");

            subject = new Subject();
            subject.getPrincipals().add(new PlainRolePrincipal("USER"));
            subject.getPrincipals().add(new PlainRolePrincipal("ADMIN"));

        }

        log.debug("HAS USER " + getRequest().isUserInRole("USER"));
        log.debug("HAS ADMIN " + getRequest().isUserInRole("ADMIN"));
        log.debug("HAS REPORT " + getRequest().isUserInRole("REPORT"));

        session.setAttribute("javax.security.auth.subject", subject);

        log.debug("USER principal === " + getRequest().getUserPrincipal());

        FacesContext.getCurrentInstance().getExternalContext()
                .redirect("pages/home.jsf");

    } catch (ServletException e) {

        FacesContext.getCurrentInstance().addMessage("Login",
                new FacesMessage("Invalid Username/Password combination"));

        e.printStackTrace();
    }

}

Also I use the following info bean to retrieve the subject and check the principals.

 @ManagedBean(name = "userInfo")
 @SessionScoped
 public class UserInformation {

/**
 * Fetches current logged in username.
 * 
 * @return
 */
public String getUsername() {

    return FacesContext.getCurrentInstance().getExternalContext()
            .getRemoteUser();

}



public boolean isUserInRole(String roleName) {
    Subject subject = (Subject) getRequest().getSession().getAttribute(
            "javax.security.auth.subject");

    for (Principal p : subject.getPrincipals()) {
        if (p.getName().equals(roleName)) {
            return true;
        }
    }

    return false;
}


public static HttpServletRequest getRequest() {
    Object request = FacesContext.getCurrentInstance().getExternalContext()
            .getRequest();
    return request instanceof HttpServletRequest ? (HttpServletRequest) request
            : null;
}

}

So I workaround the isUserInRole mechanism, the real isUserInRole method returns only true on USER, because that role is set when authenticating.

From the JSF pages I can now do

Hope this helps other users, any improvement suggestions are welcome!