More missing/changed/undocumented functionality: login events

We make fairly heavy use of login/authentication events in our app too. It seems those were gutted totally, as I’m getting all red lines and inability to compile.

Specifically, BeforeLoginEvent seems to have been removed. We use this to check the user’s license for expiry and also their user count, to make sure they’re not going over their count of allowed users. We throw a LoginException (which seems to have ALSO been removed…) to disallow login if needed.

We also implemented a 2FA system which obviously makes heavy use of the login/authentication stuff. I haven’t gotten there yet but I’m betting that’s all been gutted too.

You really might consider updating your documentation, as many, many things were changed or removed and just not mentioned in the migration docs. :frowning:

Is there a way in Jmix to get similar functionality to CUBA’s BeforeLoginEvent and the ability to simply throw a LoginException to abort login when needed?

1 Like

There is information about standard Spring authentication events in the docs: Authentication :: Jmix Documentation.

There are also io.jmix.core.security.event.PreAuthenticationCheckEvent and io.jmix.core.security.event.PostAuthenticationCheckEvent that are not yet included in the docs.

Perhaps you can use PreAuthenticationCheckEvent, see for example how it’s used in the LDAP add-on:

@EventListener
public void onPreAuthenticationCheckEvent(PreAuthenticationCheckEvent event) {
    if (!ldapProperties.getStandardAuthenticationUsers().contains(event.getUser().getUsername())) {
        throw new BadCredentialsException("Current user cannot be authenticated via standard authentication");
    }
}

Regards,
Konstantin

1 Like

That is probably exactly what I need - thank you!

@krivopustov - definitely that is the event I need, however, in CUBA, we use event.getCredentials() and check if it is an instanceof either LoginPasswordCredentials or RememberMeCredentials to know if the login is a user or a system/anon login. Obviously, this is changed in Jmix - any pointers to equivalent functionality?

I would recommend to cast UserDetails from the event to the User type of your project and analyze the User attributes.

I have been playing with the Spring SessionRegistry to count logged in users and such. Is this a valid way? There seems to be no concept of “System” users in Jmix as there was in CUBA; is this correct?

Yes, SessionRegistry is now the standard way to get the list of logged in users.

There are Built-in Users.

Will those built in users show up in SessionRegistry?

When you use system authentication in your code, sessions are not created.
SessionRegistry returns only sessions created for external authenticated users.