Diff for "JSF_and_Acegi"

Using Java Server Pages with Acegi Security:

The Acegi Security home page is http://www.acegisecurity.org/

* Cagatay Civici's Acegi Components are at http://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_the

Incompatibility Problem

The problem is that, as is, the login page created with JSF is not compatible with Acegi, but there are a few solutions for this (see below:)

* See Re: Acegi and JSF integration

* Solution Lincoln's Solution: Acegi and JSF Native Login Page

* Other Solution Victor's Blog

* Other Solution Integrating Acegi and JSF: Revisited

MyFaces Specific Solution

This solution requires myfaces tomahawk

* To get the input fields (j_username, j_password) correct, the login page (login.jsp) has:

<%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t"%>

<t:inputText id="j_username" forceId="true" value="#{backingBean.customerId}" size="40" maxlength="80"></t:inputText>

<t:inputSecret id="j_password" forceId="true" value="#{backingBean.password}" size="40" maxlength="80" redisplay="true"></t:inputSecret>

<h:commandButton action="login" value="#{messages.page_signon}"/>

<h:messages id="messages" layout="table" globalOnly="true" showSummary="true" showDetail="false"/>

* To send to the correct destination (/j_acegi_security_check.jsp), faces-config.xml has:

<navigation-rule>
        <from-view-id>/login.jsp</from-view-id>
        <navigation-case>
                <from-outcome>login</from-outcome>
                <to-view-id>/j_acegi_security_check.jsp</to-view-id>
                <redirect />
        </navigation-case>
</navigation-rule>

* applicationContext.xml has:

<bean id="formAuthenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="filterProcessesUrl">
                <value>/j_acegi_security_check.jsp</value>
        </property>
        <property name="authenticationFailureUrl">
                <value>/login.faces</value>
        </property>
        <property name="defaultTargetUrl">
                <value>/</value>
        </property>
        <property name="authenticationManager">
                <ref bean="authenticationManager" />
        </property>
</bean>

* To make sure that the page forwarded to /j_acegi_security_check.jsp goes through the Acegi Filter Chain Proxy, web.xml has:

<filter-mapping>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>

* Finally, to display any acegi errors, the backing bean has:

(this code can be called anywhere in the backing bean as long as it happens before the <h:messages> tag at the end)

Exception ex = (Exception)FacesContext.getCurrentInstance().getExternalContext().getSessionMap().get(AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY);
if (ex != null)
        FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, ex.getMessage(), ex.getMessage()));

Problem when using <jsp:forward />

When using <jsp:forward /> to send the user to a page she is not authorized to, the Acegi Security filter chain is only triggered if org.acegisecurity.intercept.web.FilterSecurityInterceptor has been configured with property 'observeOncePerRequest' being set to 'false', in addition to adding the <dispatcher/> element to the filter mapping as described above.

<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
   ...
   <property name="observeOncePerRequest" value="false"/>
</bean>