Latest posts for the topic "acegi-security and icefaces"

acegi-security and icefaces

Christian Teichert — GMT

hello everybody, we use acegi-security (http://acegisecurity.org/) in an application that we migrated from facelets to icefaces recently. acegi provides methods that respond to the component-properties "renderedOnUserRole" and "enabledOnUserRole". In a first try acegi seems to work fine with icefaces - these two integrated seamlessly. But getting a bit deeper into icefaces we encountered a strange problem in combination of the security-related tasks and the IntervalRenderer. We added a clock to our app to display the current date and time and to keep the connection alive (which used to get lost accidentially). With the clock being displayed we have the problem, that all our components with the property "renderedOnUserRole" will disappear at the IntervalRenderer intervals. *Any* request coming from the client itself(including partialSubmits) restores those components again until the next IntervalRenderer interval will remove them once again. Is there anything we have to consider when using the IntervalRenderer AND "renderedOnUserRole"?

Re: acegi-security and icefaces

ted.goddard — GMT

The IntervalRenderer makes use of a persistent ServletRequest stored on the server. Unfortunately, this request does not contain sufficient information to perform the isUserInRole() check (the check is possible on the first rendering pass because the original ServletRequest is used then.) To address this, a small amount of integration will be required either between ICEfaces and acegi-security or ICEfaces and the application server (integration with acegi-security is likely preferable as it will be more portable). This will be addressed in an upcoming release.

Re: acegi-security and icefaces

Christian Teichert — GMT

Thank you Ted, that's what we already supposed. So we'll be patiently waiting until the very release and hope that our users will have their own watch, so they won't need the app's clock... ;-)

Re: acegi-security and icefaces

Sixty4 — GMT

CITE: The IntervalRenderer makes use of a persistent ServletRequest stored on the server. Unfortunately, this request does not contain sufficient information to perform the isUserInRole() check... Is the same true for the OnDemandRenderer? And...when do you expect to have a corrected release ready for publication? Thanks in advance! Thomas PS: your support is excellent!

Re: acegi-security and icefaces

ted.goddard — GMT

The acegi security API seemed to provide exactly what we needed (role checking directly from a Principal) so the implementation went very smoothly. (Please keep in mind that this is very preliminary integration and further work is undoubtedly required. Our testing, though, shows that acegi security provides a persistent security context that works with application initiated rendering.) Thanks for your interest; ICEfaces will continue to strive for the speed and reliability of german trains ...

Re: acegi-security and icefaces

Christian Teichert — GMT

Wow, that fast! Where does the name ICEfaces come from? might very well be the german high-speed-train (called "ICE")! Thanks a lot Christian

Re: acegi-security and icefaces

ted.goddard — GMT

Initial integration with acegi security has been added to ICEfaces and will be available in the next release. This feature will be of an "early access" nature, so we will be looking for your feedback. One important consideration will be that since ICEfaces needs access directly to the acegi security APIs, acegi-security-1.0.1.jar cannot be installed in server/lib, it must be installed in common/lib (this is for tomcat, other application servers will require their own installation adjustments).

Re: acegi-security and icefaces

Sixty4 — GMT

My collegue Christian is on holidays. Just wanted to tell you that ACEGI seems to work smoothly with IceFaces 1.0.1. Thank you very much! Thomas

Re: acegi-security and icefaces

jtp51 — GMT

Thomas: Would you please provide your insight on how to even get started using acegi-security with ICEfaces? *I am really stuck right now.* Thanks, --Todd

Re: acegi-security and icefaces

jtp51 — GMT

Christian: OK, I've been going through a lot of documentation linked from: http://www.acegisecurity.org/articles.html From what I can find, the following statement caught my eye: The issues I encountered are all related to the authentication mechanism - all other configurations work just fine if done as described in the Acegi manual (please please take great care in observing the servlet filter order or else no donut for you). So, your not the only one dealing with issues. IMO: This is not a ICEfaces issues - more a JSF issue. Still hammering away on this. Thanks, --Todd

Re: acegi-security and icefaces

Christian Teichert — GMT

Hi Todd, just found your other acegi-thread in this forum. To be honest, my integration of ICEfaces and acegi works only a little bit. Up to now i'm able to secure URLs reliably and to display components depending on the user role - as long as i use "normal", client initiated requests only. One other thing that's working is MethodSecurity using the SecurityInterceptor. But I do *not* use the acegi-security api directly. What I did do to get started was to put all the acegi jars i could grab on my /lib dir, including the tiger one (might be important for Java 5 ...?), adjusted the acegi configuration with the proper file names and user roles (using the inMemoryDao for simplicity-reasons) and added the filter entry and bean-definition in my web.xml. That's all that was needed to make the URL-Security work. As the rest doesn't work really well i better won't try to advice you, my hints might prove worthless or even harmful .. :-( Unfortunately i discovered my problems only a few minutes ago, otherwise i wouldn't have tried to offer help on a topic that i apparently do not really understand myself - sorry for that. I'll let you know if i find a solution. Greetz Christian

Re: acegi-security and icefaces

jtp51 — GMT

Christian: Thank you. I went out to http://home.hccnet.nl/bart.van.riel/spring_acegi_tutorial.html and read through the tutorial, I was unable to load the .war in Sun Java System Application Server 8.2 and I couldn't find the .zip containing the source. I have the following jars added to my /lib directory for Sun Java System Application Server 8.2: acegi-security-1.0.1.jar acegi-jsf-1.1.2.jar What is acegi-security-tiger-1.0.1.jar, I've searched on the Spring forum and googled without a lot of success. The readme.txt doesn't help either. What I am stuck at is actual useful examples of Bean code using the acegi-secruity api. How do I even get started? All of the information I've looked at just reviews setting up the web.xml and acegi.xml as you've provided. By the way: Thanks for attaching those. Anyways, I am searching for as much "getting started information as I can". Thanks, --Todd

Re: acegi-security and icefaces

Christian Teichert — GMT

Hello Ted, i just tried to use the "renderedOnUserRole" in combination with the IntervalRenderer using ICEfaces 1.0.1 and acegi 1.0.1, but my problem remains: some components are being displayed correctly but the most of them are killed by the IntervalRenderer. Maybe the problem is that Tomcat cannot find the acegi- and spring-jars that i put in common/lib. Is there anything i have to do so that the application *does* use the jars in that directory?

Re: acegi-security and icefaces

Christian Teichert — GMT

Hi Todd, as my collegue Thomas is on holidays i'll try to answer your question. First of all i'd like to recommend a Spring Acegi Tutorial (just in case haven't found it already: http://home.hccnet.nl/bart.van.riel/spring_acegi_tutorial.html) It provides a good introduction and overview to acegi. We use Spring 1.2.5 and acegi 1.0.1. From acegi you'll need acegi-security-1.0.1.jar and eventually acegi-security-tiger-1.0.1.jar. Additionally you'll need acegi-jsf-1.1.2.jar (avaliable via http://sourceforge.net/project/showfiles.php?group_id=137466). And of course you need ICEfaces 1.0.1. I'll attach the relevant parts of our web.xml and acegi.xml (and put in some english comments). That's all! To provide you with better hints i'd need to know *where* you're stuck exactly and to see your configuration. Hope i could help you a bit Christian

Re: acegi-security and icefaces

jtp51 — GMT

I am so close to getting AuthenticationProcessingFilter to work it's not funny. The issue is, need for specific username and password field names. They need to be: However, the parsed HTML names are: Thus, I cannot get AuthenticationProcessingFilter to work in the chain. MyFaces (cring) has a property called forceID, which you can set to a boolean - which solves the issue of having specific field names. Aaaahhhh! Thanks, --Todd acegi-security log: 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:192 - Request is to process authentication 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:192 - Request is to process authentication 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:192 - Request is to process authentication 13:05:00,676 WARN LoggerListener,httpWorkerThread-8080-2:55 - Authentication event AuthenticationFailureBadCredentialsEvent: ; details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: 13014621224effffffffffef23436b7be8632; exception: Bad credentials 13:05:00,676 WARN LoggerListener,httpWorkerThread-8080-2:55 - Authentication event AuthenticationFailureBadCredentialsEvent: ; details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: 13014621224effffffffffef23436b7be8632; exception: Bad credentials 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:413 - Updated SecurityContextHolder to contain null Authentication 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:413 - Updated SecurityContextHolder to contain null Authentication 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:413 - Updated SecurityContextHolder to contain null Authentication 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:419 - Authentication request failed: org.acegisecurity.BadCredentialsException: Bad credentials 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:419 - Authentication request failed: org.acegisecurity.BadCredentialsException: Bad credentials 13:05:00,676 DEBUG AuthenticationProcessingFilter,httpWorkerThread-8080-2:419 - Authentication request failed: org.acegisecurity.BadCredentialsException: Bad credentials 13:11:01,282 DEBUG HttpSessionEventPublisher,ContainerBackgroundProcessor[StandardEngine[com.sun.appserv].StandardHost[server].StandardContext[/login]]:113 - Publishing event: org.acegisecurity.ui.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@17067ba] 13:11:01,282 DEBUG HttpSessionEventPublisher,ContainerBackgroundProcessor[StandardEngine[com.sun.appserv].StandardHost[server].StandardContext[/login]]:113 - Publishing event: org.acegisecurity.ui.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@17067ba] 13:11:01,282 DEBUG HttpSessionEventPublisher,ContainerBackgroundProcessor[StandardEngine[com.sun.appserv].StandardHost[server].StandardContext[/login]]:113 - Publishing event: org.acegisecurity.ui.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@17067ba]

Re: acegi-security and icefaces

jtp51 — GMT

Confirmed: "The login form; it has input fields for the username and password, j_username and j_password, respectively, and a form action pointing to j_acegi_security_check since that is what the authenticationProcessingFilter filter listens for to capture every login form submission." So, how do I solve this? Thanks, --Todd

Re: acegi-security and icefaces

Christian Teichert — GMT

In my app it works as easily as you describe it: -- p.s.: better use a normal html form for the login page, as ICEfaces will add it's something of it's own to the controls ' ids. Message was edited by: Christian Teichert

Re: acegi-security and icefaces

jtp51 — GMT

Christian: thank you for following up. I am about at that point, but would like to try one other approach. I hate to give up the JSF validation on the two fields... Thanks, --Todd

Re: acegi-security and icefaces

Sixty4 — GMT

Dear Christian, dear Todd, it's nice to see you working so hard to solve these problems ... while still being on holiday. ;-) Good luck! Thomas

Re: acegi-security and icefaces

jtp51 — GMT

David: My other approach did not work. I tried to use the MyFaces Tomahawk example - but of course that was wrong and doesn't work. What MyFaces has in their Wiki for a acegi-security solution is wrong. I confirmed this on the Springframework forums. Therefore, I will give up the nice JSF components for the login screen and use a .jsp page. I tried the bean approach, but the information is so uncomplete, it's a waste of time. If your interested, I've attached my login.jspx with the Tomahawk references. Acegi-security does not work with the Controller model of JSF. This is not an ICEfaces issue, just a JSF issue. Thanks, --Todd

Re: acegi-security and icefaces

aberrant80 — GMT

I'm interested in finding out if you managed to get your "other approach" to work.

Re: acegi-security and icefaces

dclounch — GMT

jtp51 wrote:

David: My other approach did not work. I tried to use the MyFaces Tomahawk example - but of course that was wrong and doesn't work. What MyFaces has in their Wiki for a acegi-security solution is wrong. I confirmed this on the Springframework forums. Therefore, I will give up the nice JSF components for the login screen and use a .jsp page. I tried the bean approach, but the information is so uncomplete, it's a waste of time. If your interested, I've attached my login.jspx with the Tomahawk references. Acegi-security does not work with the Controller model of JSF. This is not an ICEfaces issue, just a JSF issue. Thanks, --Todd

About a year later I am wondering if things are better? I was looking at Phil's forwarding of variables via the loginProxyBean class. Does that help? Or should I just give up now? I can see the j_username and j_password being set in the map, but is that enough? I am still not getting authenticated with good credentials. I am new to icefaces and I am concerned about how to get renderedOnUserRole set up properly with authentication and authorization. If Acegi is hopeless then is there another framework that works with JSF/ice?

Re:acegi-security and icefaces

brad.kroeger — GMT

Here is an example of a working implementation in an ICEfaces application. An AuthenticationController bean helps to perform the authenticationProcessingFilter and logoutFilter functions as per http://www.javakaffee.de/blog/2006/07/04/jsfacegi-authentication-with-a-backing-bean/? . First of all the jars, I'm using jars from spring-framework 2.0.3: acegi-security-1.0.3.jar aopalliance.jar aspectjrt.jar commons-attributes-api.jar commons-codec.jar commons-lang.jar ehcache-1.2.4.jar jakarta-oro-2.0.8.jar jstl.jar spring.jar spring-aspects.jar standard.jar Add the following to your web.xml: Code:

	
	
	
		contextConfigLocation
		/WEB-INF/applicationContext.xml
	

	
		RequestContextFilter
		
			org.springframework.web.filter.RequestContextFilter
		
	

	
		RequestContextFilter
		Persistent Faces Servlet
	
	
	
	    org.springframework.web.context.ContextLoaderListener
	  
	
	
        Acegi Filter Chain Proxy
        org.acegisecurity.util.FilterToBeanProxy
        
            targetClass
            org.acegisecurity.util.FilterChainProxy
        
    

    
      Acegi Filter Chain Proxy
      Persistent Faces Servlet
      FORWARD
      REQUEST

Add the following to your faces.config: Code:

	
	
        
            org.springframework.web.jsf.DelegatingVariableResolver
        		
	

	
		com.icesoft.icefaces.site.acegi.NoCachePhaseListener

Here is the applicationContext.xml. In our application we are doing our own implementation of userDetailsService (OurUserDetailsService) it's up to you how you want to implement this, please see the acegi documentation for your options: Code:






	
		
			
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
			
		
	

	
   
	

	
		
			
				
				
			
		
		
			
			
			
		
	

	
		
			
		
		
			
				
				
					
						
						
					
				
			
		
		
			
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/secure/**=ROLE_Administration
				/general/**=IS_AUTHENTICATED_REMEMBERED

Here are the classes you need to add to your application: Code:

public class NoCachePhaseListener implements PhaseListener {

	   public PhaseId getPhaseId() {
	       return PhaseId.RENDER_RESPONSE;
	   }

	   public void afterPhase(PhaseEvent phaseEvent) {
	   }

	   public void beforePhase(PhaseEvent phaseEvent) {
	       FacesContext facesContext = phaseEvent.getFacesContext();
	       HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();
	       response.addHeader("Pragma", "no-cache");
	       response.addHeader("Cache-Control", "no-cache");
	       response.addHeader("Cache-Control", "no-store");
	       response.addHeader("Cache-Control", "must-revalidate");
	       response.addHeader("Expires", "Mon, 1 Jan 2006 05:00:00 GMT");//in the past
	   }
	}

Code:

public final class AuthenticationController {

     private static final Log LOG = LogFactory.getLog( AuthenticationController.class );

     // injected properties
     private AuthenticationManager _authenticationManager;

     public String authenticate(String userName, String password) throws AuthenticationException{
         
         String outcome = "failure";
         
         final HttpServletRequest request = getRequest();

         try {
             final UsernamePasswordAuthenticationToken authReq = new UsernamePasswordAuthenticationToken(
                     userName, password );

             authReq.setDetails( new WebAuthenticationDetails( request ) );

             final HttpSession session = request.getSession();
             session.setAttribute(
                             AuthenticationProcessingFilter.ACEGI_SECURITY_LAST_USERNAME_KEY,
                             userName );

             /* perform authentication
              */
             final Authentication auth = getAuthenticationManager().authenticate( authReq );
          
             /* initialize the security context.
              */
             final SecurityContext secCtx = SecurityContextHolder.getContext();
             secCtx.setAuthentication( auth );
             session.setAttribute( HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY, secCtx );
             
             outcome = "success";

         } catch (Exception e ){
             outcome = "failure";
         }
         return outcome;
     }

     private HttpServletRequest getRequest() {
         return (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
     }

     public AuthenticationManager getAuthenticationManager() {
         return _authenticationManager;
     }

     public void setAuthenticationManager(
             AuthenticationManager authenticationManager ) {
         _authenticationManager = authenticationManager;
     }

}

In your bean that is performing the login, you can now add the following code. We are returning a String here because the method is bound to a action attribute on a commandButton. "loginMessage" is a String used to display errors in our UI: Code:

            // begin acegi login
            persistentFacesState = PersistentFacesState.getInstance();
            authenticationController = ((AuthenticationController)persistentFacesState.getFacesContext().getApplication().getVariableResolver().resolveVariable(persistentFacesState.getFacesContext(), "authenticationController"));
            try{
               authenticationController.authenticate(username,password);
            } catch (AuthenticationException e) {
                loginMessage = e.getMessage() + ".";
                return "failed";
            }
            // end acegi login

Here is the logout code: Code:

        // acegi logout
        SecurityContextHolder.clearContext();
        final HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
        final HttpSession session = request.getSession();
        session.removeAttribute( HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY );
        session.invalidate();

In our case, we are using our implementation of userDetailsService to construct an acegi User object with roles from an existing database. The existing database has group names that we concatenate to ROLE_ in order to construct an array of GrantedAuthorities. We can now use ROLE_administration to access the /secure portions of our site or in our renderedOnUserRole/enabledOnUserRole attributes of ICEfaces components.

Re:acegi-security and icefaces

brad.kroeger — GMT

userDetails implementation is covered in this post: http://www.icefaces.org/JForum/posts/list/3390.page

Re:acegi-security and icefaces

philip.breau — GMT

I've attached the built example if anyone's interested. This is built from the current 1.6 trunk. Philip

Re:acegi-security and icefaces

eashwaranp — GMT

Brad & Philip, The AuthenticationController and OurUserDetailsService way of implementing ACEGI security simply ROCKS! After some research I got this working with my ICEfaces application. I'm also able to use isUserInRole method inside a backing bean. Thanks for explaining these in so much detail. Regards, Eashwaran.

Re:acegi-security and icefaces

craig — GMT

Hi how did you get this working from within a backing bean? Durring normal requests i use Code:

Authentication auth = SecurityContextHolder.getContext().getAuthentication();

to get my principle. However, durring server push or new Threads this doesnt work, is there a way around this? Thanks Craig

Re:acegi-security and icefaces

eashwaranp — GMT

I don't use the SecurityContextHolder, instead I use the HttpServletRequest's isUserInRole or getUserPrincipal. The request can be obtained from the FacesContext's external context (which is available only at request time, and not from any session context or thread that is not in request scope). I believe the ACEGI security uses ThreadLocal to store the security context, but I'm not very clear how one would use this to obtain the principal. Reading the ACEGI docs, it does appear that your method of using SecurityContextHolder is correct and it should work. Excerpt code from http://www.acegisecurity.org/docbook/acegi.html Code:

Object obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

if (obj instanceof UserDetails) {
  String username = ((UserDetails)obj).getUsername();
} else {
  String username = obj.toString();
}

So, I'm not sure why this won't work. Maybe the ICEfaces gurus can help us here. Regards, Eashwaran.

acegi-security and icefaces

dinobhai — GMT

hi we have been thinking of using a security API for our application but we are not using springs framework would we still be able to use acegi or is there any other alternative .. Rajat

Re:acegi-security and icefaces

rainwebs — GMT

Well, you can't use Acegi without the Spring Framework. So, if you can't use Spring you have to skip Acegi. In this case you may fall back to the JEE standards the application server delivers (JAAS). But, this isn't as portable as using Acegi.

Re:acegi-security and icefaces

brad.kroeger — GMT

The Spring framework jars are required, but beyond that acegi can be used without having to implement any other Spring functionality. See the example code I posted above, that is all that was required to add acegi to an ICEfaces application.

Re:acegi-security and icefaces

javawong369 — GMT

Hi: Do you have the configuration examples for j_username and j_password, respectively, and a form action pointing to j_acegi_security_check. thanks.

Re:acegi-security and icefaces

david.malec — GMT

Hello guys, I was trying philip.breau's acegi sample application security.war . Whan it is deployed on Tomcat (5.5) it's working without problems. Once I deploy it on JBoss 4.2.0 it's not working at all. Thy JBoss guys use JSF Sun RI 1.2 and when JBoss tried to deploy the application, errors occurs : 13:10:30,327 ERROR [[/security]] Exception sending context initialized event to listener instance of class org.jboss.web.jsf.integration.config.JBossJSFConfigur eListener java.lang.ClassCastException: com.sun.faces.application.ApplicationAssociate at com.sun.faces.application.ApplicationAssociate.getInstance(ApplicationAssociate.java:172) at com.sun.faces.config.JSFVersionTracker.publishInstanceToApplication(JSFVersionTracker.java:266) at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:424) at org.jboss.web.jsf.integration.config.JBossJSFConfigureListener.contextInitialized(JBossJSFConfigureListener.java:69) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3854) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4359) . . . . . Ok, this is obviously wrong JSF version, so I deleted these JAR files from security/WEB-INF/lib : jsf-api.jar jsf-impl.jar After another JBoss launch application was succesfuly deployed. But when I accessed the application, this exception was thrown : javax.servlet.ServletException: Servlet execution threw an exception org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:63) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77) org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) root cause java.lang.LinkageError: loader constraints violated when linking javax/el/ELContext class com.icesoft.faces.webapp.http.servlet.ServletView.(ServletView.java:45) com.icesoft.faces.webapp.http.servlet.SingleViewServlet.service(SingleViewServlet.java:39) com.icesoft.faces.webapp.http.servlet.PathDispatcher$Matcher.serviceOnMatch(PathDispatcher.java:52) com.icesoft.faces.webapp.http.servlet.PathDispatcher.service(PathDispatcher.java:29) com.icesoft.faces.webapp.http.servlet.MainSessionBoundServlet.service(MainSessionBoundServlet.java:89) com.icesoft.faces.webapp.http.servlet.SessionDispatcher.service(SessionDispatcher.java:35) com.icesoft.faces.webapp.http.servlet.PathDispatcher$Matcher.serviceOnMatch(PathDispatcher.java:52) com.icesoft.faces.webapp.http.servlet.PathDispatcher.service(PathDispatcher.java:29) com.icesoft.faces.webapp.http.servlet.MainServlet.service(MainServlet.java:59) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:63) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77) org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) My next step was to delete another JAR : el-api.jar Next JBoss start, after accessing application this error occurs : javax.faces.FacesException: Can't parse stream for /login.jspx Error at (40, 104: Cannot invoke com.sun.faces.taglib.html_basic.InputTextTag.setValue - argument type mismatch com.icesoft.faces.application.D2DViewHandler.renderResponse(D2DViewHandler.java:488) com.icesoft.faces.application.D2DViewHandler.renderView(D2DViewHandler.java:150) com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106) com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251) com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144) com.icesoft.faces.webapp.http.core.PageServer$1.respond(PageServer.java:26) com.icesoft.faces.webapp.http.servlet.ServletRequestResponse.respondWith(ServletRequestResponse.java:125) com.icesoft.faces.webapp.http.core.PageServer.service(PageServer.java:31) com.icesoft.faces.webapp.http.servlet.BasicAdaptingServlet.service(BasicAdaptingServlet.java:16) com.icesoft.faces.webapp.http.servlet.SingleViewServlet.service(SingleViewServlet.java:48) com.icesoft.faces.webapp.http.servlet.PathDispatcher$Matcher.serviceOnMatch(PathDispatcher.java:52) com.icesoft.faces.webapp.http.servlet.PathDispatcher.service(PathDispatcher.java:29) com.icesoft.faces.webapp.http.servlet.MainSessionBoundServlet.service(MainSessionBoundServlet.java:89) com.icesoft.faces.webapp.http.servlet.SessionDispatcher.service(SessionDispatcher.java:35) com.icesoft.faces.webapp.http.servlet.PathDispatcher$Matcher.serviceOnMatch(PathDispatcher.java:52) com.icesoft.faces.webapp.http.servlet.PathDispatcher.service(PathDispatcher.java:29) com.icesoft.faces.webapp.http.servlet.MainServlet.service(MainServlet.java:59) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:63) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77) org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) root cause java.lang.IllegalArgumentException: Cannot invoke com.sun.faces.taglib.html_basic.InputTextTag.setValue - argument type mismatch org.apache.commons.digester.Digester.createSAXException(Digester.java:2540) org.apache.commons.digester.Digester.createSAXException(Digester.java:2566) org.apache.commons.digester.Digester.startElement(Digester.java:1276) org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source) org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source) org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source) org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) org.apache.xerces.parsers.XMLParser.parse(Unknown Source) org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) org.apache.commons.digester.Digester.parse(Digester.java:1586) com.icesoft.faces.webapp.parser.Parser.parse(Parser.java:122) com.icesoft.faces.application.D2DViewHandler.renderResponse(D2DViewHandler.java:482) com.icesoft.faces.application.D2DViewHandler.renderView(D2DViewHandler.java:150) com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106) com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251) com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144) com.icesoft.faces.webapp.http.core.PageServer$1.respond(PageServer.java:26) com.icesoft.faces.webapp.http.servlet.ServletRequestResponse.respondWith(ServletRequestResponse.java:125) com.icesoft.faces.webapp.http.core.PageServer.service(PageServer.java:31) com.icesoft.faces.webapp.http.servlet.BasicAdaptingServlet.service(BasicAdaptingServlet.java:16) com.icesoft.faces.webapp.http.servlet.SingleViewServlet.service(SingleViewServlet.java:48) com.icesoft.faces.webapp.http.servlet.PathDispatcher$Matcher.serviceOnMatch(PathDispatcher.java:52) com.icesoft.faces.webapp.http.servlet.PathDispatcher.service(PathDispatcher.java:29) com.icesoft.faces.webapp.http.servlet.MainSessionBoundServlet.service(MainSessionBoundServlet.java:89) com.icesoft.faces.webapp.http.servlet.SessionDispatcher.service(SessionDispatcher.java:35) com.icesoft.faces.webapp.http.servlet.PathDispatcher$Matcher.serviceOnMatch(PathDispatcher.java:52) com.icesoft.faces.webapp.http.servlet.PathDispatcher.service(PathDispatcher.java:29) com.icesoft.faces.webapp.http.servlet.MainServlet.service(MainServlet.java:59) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264) org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107) org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229) org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274) org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98) org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:63) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77) org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) Now I'm not sure how to continue, I tried to change JBoss JSF implementations as well, but withou success. Please if somebody can help me ;) Have a nice day anyway David.

Re:acegi-security and icefaces

GuntherD — GMT

Hi, Has anybody managed to get the "remember me" services working with the backing bean example? I have been following the pointers in the original Javakaffee post http://www.javakaffee.de/blog/2006/07/04/jsfacegi-authentication-with-a-backing-bean/?, but am stuck on the [/code]rememberMeServices.loginSuccess(request, response, authResult); [/code] part, because when I try to get the response like this [code]HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();[/code], the response object always returns null. Any ideas anybody? Thx

Re:acegi-security and icefaces

GuntherD — GMT

Hi again, Did some debugging, and managed to solve the question above (actually, it was not the response that was generating the NPE, but the rememberMeservice itself). Anyway, I got it woking by implementing my own CustomTokenBasedRememberMeServices, because the standard one has a security measure in the 'loginSuccess' method, that effectively blocks the creation of a cookie is a certain parameter is not present. That parameter being linked to the actual checkbox on the login page. Obviously, since we're working with a backing bean, this parameter never gets sent. My question however, does anybody know if there's a cleaner way to maybe pass this parameter, so I can keep on using the standard TokenBasedRememberMeServices? I'll keep digging, but any ideas are more then welcome. Also, if there's interest, I'll post the necessary backing-bean code and securityContext.xml parameters. Rgds, GuntherD

Re:acegi-security and icefaces

kito99 — GMT

Is anything special required to integrate Acegi with ICEfaces if you're not using programmatic authentication? This app has a standard JSP for the login page (no JSF components), so we're not doing anything fancy. I am getting a Session expired exception quite a bit, though. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kito D. Mann - Author, JavaServer Faces in Action http://www.virtua.com - JSF/Java EE consulting, training, and mentoring http://www.JSFCentral.com - JavaServer Faces FAQ, news, and info

Re:acegi-security and icefaces

ted.goddard — GMT

kito99 wrote:

Is anything special required to integrate Acegi with ICEfaces if you're not using programmatic authentication? This app has a standard JSP for the login page (no JSF components), so we're not doing anything fancy. I am getting a Session expired exception quite a bit, though.

ICEfaces uses Acegi to determine the user role when request.isUserInRole() is not necessarily available (such as during Ajax Push). So if you have installed the Acegi .jar files globally for your application server so that Acegi can determine the user role from the Principal (this is the Acegi API used by ICEfaces), nothing additional should be required. Are there any particular conditions that cause the Session Expired (other than session expiry, I expect)?

Re:acegi-security and icefaces

kito99 — GMT

Thanks, Ted. I just wanted to make sure Acegi wasn't interfering with anything. I think the SessionExpired exception was due to the Tomcat persistence sessions, which I turned off. I haven't seen it since. ~~ Kito D. Mann - Author, JavaServer Faces in Action http://www.virtua.com - JSF/Java EE consulting, training, and mentoring http://www.JSFCentral.com - JavaServer Faces FAQ, news, and info