FormAuth: Programatically login using Form Authentication

[Ryaryu]

Hello, I'm working on an app that has to use Form Authentication.

Normally we would just create a form posting to /j_security_check and that would work with Quarkus.
But I need to do some work before calling the endpoint, therefore I'm calling a method from a @Named bean.
The problem is that after doing this before-hand work, when I do call ((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest()).login(username, password);, the method works perfectly but Quarkus doesn't generate a Cookie.

Have you found a solution for this?
Currently I'm picking the external host/url and manually calling /j_security_check with an absolute URL, but that is very ugly and error prone.

[melloware]

Because Quarkus obsviously works differently than a normal EE container i am not surprised by this.

@tmulle asked this very question on this ticket how to programmtic "login" and I don't think it ever got answered as that topic morphed more into progammatic logout and the login question i am not sure was ever answered was it @tmulle?

Read this thread: quarkusio/quarkus#27389

[melloware]

@Ryaryu it might be worth opening another Quarkus ticket and reference that original ticket that was never answered about programmatic login?

I also asked the Devs on Zulip Chat as well: https://quarkusio.zulipchat.com/#narrow/stream/187038-dev/topic/j_security_check.20Programmatic.20Login.3F

[Ryaryu]

Fair enough.

[melloware]

I will let you know what they say on the chat.

[melloware]

@Ryaryu can you post a small sample code of how you authenticate and logout with quarkus Faces? There are other users asking how to create a login form etc. we have an OIDC example from @tmulle but not a basic login form authentication example. Even snippets here will be fine?

[Ryaryu]

Oh... sure.
I'm using a single Bean to handle both.

@Named
@RequestScoped
public class LoginController {

  @Getter
  @Setter
  String username;

  @Getter
  @Setter
  String password;

  @Inject
  FacesContext facesContext;

  @ConfigProperty(name = "quarkus.http.auth.form.cookie-name")
  String cookieName;

  /**
  * Clear cookieName and redirects to my login page (/login.xhtml)
  */
  public String logout() {
    var fcResponse = (HttpServletResponse) facesContext.getExternalContext().getResponse();
    var cookie = new Cookie(cookieName, "");
    cookie.setMaxAge(0);
    fcResponse.addCookie(cookie);
    return "/login.xhtml?faces-redirect=true";
  }

  public void login() {
    try {
      var request = (HttpServletRequest) facesContext.getExternalContext().getRequest();

      generateCookie(request);

      // redirect to your main page.
      facesContext.getExternalContext().redirect("/principal.xhtml");
    } catch (Exception ex) {
      // do something?
    }
  }

  /**
   * Here we just replace the login form partial URL (in my case /login.xhtml) with /j_security_check
   * and make a request there so Quarkus can create the session cookie
   */
  private void generateCookie(HttpServletRequest request) throws IOException, InterruptedException {
    var securityCheckUrl = request.getRequestURL().toString()
        .replace("/login.xhtml", "/j_security_check");
    var response = jSecurityCheckRequest(securityCheckUrl);

    var fcResponse = (HttpServletResponse) facesContext.getExternalContext().getResponse();
    setCookie(response, fcResponse);
  }

  /**
  * Magic lies here.
  * We set the cookie generated by the /j_security_check request into the FacesContext response.
  */
  private void setCookie(HttpResponse<String> response, HttpServletResponse fcResponse) {
    var responseMap = response.headers().map();
    if (responseMap.containsKey("set-cookie")) {
      var cookieString = responseMap.get("set-cookie").get(0);
      var quarkusCookie = new Cookie(cookieName, cookieString.split("=")[1]);
      quarkusCookie.setMaxAge(8 * 60 * 60);
      quarkusCookie.setHttpOnly(true);
      fcResponse.addCookie(quarkusCookie);
    }
  }

  private HttpResponse<String> jSecurityCheckRequest(String securityCheckUrl)
      throws IOException, InterruptedException {
    var response = HttpClient.newHttpClient().send(HttpRequest.newBuilder()
        .uri(URI.create(securityCheckUrl))
        .POST(HttpRequest.BodyPublishers.ofString(
            "j_username=" + username + "&j_password=" + password))
        .header("Content-Type", "application/x-www-form-urlencoded")
        .build(), HttpResponse.BodyHandlers.ofString());
    return response;
  }

}

You can then call this bean from your xhtml freely, #{loginController.login()} or #{loginController.logout().

[melloware]

Issue created at Quarkus HTTP: quarkusio/quarkus-http#169