MODE-1273 Added built-in authentication using Seam Security Added a built-in authentication/authorization provider to be enabled if and only if the "org.jboss.seam.security.Identity" class is on the classpath. The provider works when no Credentials are passed in, and creates an authenticated session based upon the current Identity instance if that Identity instance is already logged in.
All unit and integration tests pass with these changes, although none of our tests actually run with Seam Security. Therefore, additional testing will have to be done with system-level tests.
MODE-1270 Add support for setting Session's user ID based upon JAAS Subject in J2EE The standard way to get the current JAAS Subject given the LoginContext or AccessController works in standard Java but not in J2EE. Apparently this is a well-known issue. The recommended approach for J2EE is to instead get the Subject via the JACC API.
This change adds an optional (e.g., "provided") dependency on the JACC API, changes the JaasProvider implementation to accept an optional SubjectResolver implementation that the provider will use to resolve the Subject should the standard JAAS technique not work, and to change the JcrRepository implementation to give the JaasProvider a new JaccSubjectResolver implementation (when the JACC API is available).
It is not really possible to test whether this technique works in our unit or integration tests (as we don't deploy to a J2EE container). However, all existing unit and integration tests do pass (meaning it doesn't break their functionality), and Kurt is verifying that the JACC-style approach works within Guvnor and will (after this commit) verify that these changes do indeed work within Guvnor (which uses Seam in JBoss AS).