Using Java Server Pages with Acegi Security:

The Acegi Security home page is

* Cagatay Civici's Acegi Components are at

Incompatibility Problem

The problem is that, as is, the login page created with JSF is not compatible with Acegi, but there are a few solutions for this (see below:)

* See Re: Acegi and JSF integration

* Solution Lincoln's Solution: Acegi and JSF Native Login Page

* Other Solution Victor's Blog

* Other Solution Integrating Acegi and JSF: Revisited

MyFaces Specific Solution

This solution requires myfaces tomahawk

* To get the input fields (j_username, j_password) correct, the login page (login.jsp) has:

<%@ taglib uri="" prefix="t"%>

<t:inputText id="j_username" forceId="true" value="#{backingBean.customerId}" size="40" maxlength="80"></t:inputText>

<t:inputSecret id="j_password" forceId="true" value="#{backingBean.password}" size="40" maxlength="80" redisplay="true"></t:inputSecret>

<h:commandButton action="login" value="#{messages.page_signon}"/>

<h:messages id="messages" layout="table" globalOnly="true" showSummary="true" showDetail="false"/>

* To send to the correct destination (/j_acegi_security_check.jsp), faces-config.xml has:

                <redirect />

* applicationContext.xml has:

<bean id="formAuthenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="filterProcessesUrl">
        <property name="authenticationFailureUrl">
        <property name="defaultTargetUrl">
        <property name="authenticationManager">
                <ref bean="authenticationManager" />

* To make sure that the page forwarded to /j_acegi_security_check.jsp goes through the Acegi Filter Chain Proxy, web.xml has:

        <filter-name>Acegi Filter Chain Proxy</filter-name>

* Finally, to display any acegi errors, the backing bean has:

(this code can be called anywhere in the backing bean as long as it happens before the <h:messages> tag at the end)

Exception ex = (Exception)FacesContext.getCurrentInstance().getExternalContext().getSessionMap().get(AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY);
if (ex != null)
        FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, ex.getMessage(), ex.getMessage()));

Problem when using <jsp:forward />

When using <jsp:forward /> to send the user to a page she is not authorized to, the Acegi Security filter chain is only triggered if org.acegisecurity.intercept.web.FilterSecurityInterceptor has been configured with property 'observeOncePerRequest' being set to 'false', in addition to adding the <dispatcher/> element to the filter mapping as described above.

<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
   <property name="observeOncePerRequest" value="false"/>

JSF_and_Acegi (last edited 2009-09-20 23:01:08 by localhost)