Using Java Server Pages with Acegi Security:
The Acegi Security home page is http://www.acegisecurity.org/
* Cagatay Civici's Acegi Components are at http://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_the
Incompatibility Problem
The problem is that, as is, the login page created with JSF is not compatible with Acegi, but there are a few solutions for this (see below:)
* See Re: Acegi and JSF integration
* Solution Lincoln's Solution: Acegi and JSF Native Login Page
* Other Solution Victor's Blog
* Other Solution Integrating Acegi and JSF: Revisited
MyFaces Specific Solution
This solution requires myfaces tomahawk
* To get the input fields (j_username, j_password) correct, the login page (login.jsp) has:
<%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t"%>
<t:inputText id="j_username" forceId="true" value="#{backingBean.customerId}" size="40" maxlength="80"></t:inputText>
<t:inputSecret id="j_password" forceId="true" value="#{backingBean.password}" size="40" maxlength="80" redisplay="true"></t:inputSecret>
<h:commandButton action="login" value="#{messages.page_signon}"/>
<h:messages id="messages" layout="table" globalOnly="true" showSummary="true" showDetail="false"/>* To send to the correct destination (/j_acegi_security_check.jsp), faces-config.xml has:
<navigation-rule>
<from-view-id>/login.jsp</from-view-id>
<navigation-case>
<from-outcome>login</from-outcome>
<to-view-id>/j_acegi_security_check.jsp</to-view-id>
<redirect />
</navigation-case>
</navigation-rule>* applicationContext.xml has:
<bean id="formAuthenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="filterProcessesUrl">
<value>/j_acegi_security_check.jsp</value>
</property>
<property name="authenticationFailureUrl">
<value>/login.faces</value>
</property>
<property name="defaultTargetUrl">
<value>/</value>
</property>
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
</bean>* To make sure that the page forwarded to /j_acegi_security_check.jsp goes through the Acegi Filter Chain Proxy, web.xml has:
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>* Finally, to display any acegi errors, the backing bean has:
(this code can be called anywhere in the backing bean as long as it happens before the <h:messages> tag at the end)
Exception ex = (Exception)FacesContext.getCurrentInstance().getExternalContext().getSessionMap().get(AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY);
if (ex != null)
FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, ex.getMessage(), ex.getMessage()));
Problem when using <jsp:forward />
When using <jsp:forward /> to send the user to a page she is not authorized to, the Acegi Security filter chain is only triggered if org.acegisecurity.intercept.web.FilterSecurityInterceptor has been configured with property 'observeOncePerRequest' being set to 'false', in addition to adding the <dispatcher/> element to the filter mapping as described above.
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> ... <property name="observeOncePerRequest" value="false"/> </bean>