I just taught you could also use the jsf-security project made by some people from Oracle : http://jsf-security.sourceforge.net/
It should help you. On 12/28/05, Alexandre Poitras <[EMAIL PROTECTED]> wrote: > Your problem comes from the fact you are trying to retrieve a > request-scoped value from a session-scoped bean wich is illegal in > JSF. It was probably a bug in the previous version that could have > give you some weird exceptions. > > But I think the bug come from the request class design. Why is the > getRemoteUser method in the request class when it is clearly related > to the session, ie you need to invalidate the session to log off tthe > user. Doesn't make sense to me. The security is so messy in the J2EE > world. I hope they get some work done on this area in the future. > > Anyway, back to your problem. You need to initialize the property by > hand in your backing bean even if it looks like a kind of hack. > > Hope it helps! > > On 12/28/05, EXTERNAL Willinger Markus (Diplomand; CC/EMT1) > <[EMAIL PROTECTED]> wrote: > > > > > > Hello, > > > > We are using Tomcat 5.5, JDK 1.5, MyFaces 1.1. In our web-application we get > > an error when trying to "login", after upgrading MyFaces from version 1.09 > > to 1.1. Here is our login process in steps: > > > > 1.) Login via tomcats standard login function (j_username, j_password) using > > REALM > > 2.) Initializing the managed-bean > > "com.mycompany.UserHandlingBackingBean": > > > > <managed-bean> > > > > <managed-bean-name>userHandlingBackingBean</managed-bean-name> > > <managed-bean-class> > > com.mycompany.UserHandlingBackingBean > > </managed-bean-class> > > > > <managed-bean-scope>session</managed-bean-scope> > > <!-- sets the _currentUserName - property > > in the UserHandlingBackingBean --> > > <managed-property> > > > > <property-name>_currentUserName</property-name> > > > > <value>#{facesContext.externalContext.remoteUser}</value> > > </managed-property> > > </managed-bean> > > > > This managed-bean tries to set the current logged-in user (its username) in > > the property "(String)_currentUserName" (using > > #{facesContext.externalContext.remoteUser}). Our login > > process works fine with MyFaces 1.09. But with MyFaces 1.1 we get the > > following exception: > > > > Caused by: javax.faces.FacesException: Property _currentUserName references > > object in a scope with shorter lifetime than the target scope session > > > > at > > org.apache.myfaces.config.ManagedBeanBuilder.initializeProperties(ManagedBeanBuilder.java:154) > > at > > org.apache.myfaces.config.ManagedBeanBuilder.buildManagedBean(ManagedBeanBuilder.java:55) > > at > > org.apache.myfaces.el.VariableResolverImpl.resolveVariable(VariableResolverImpl.java:311) > > at > > org.apache.myfaces.el.ValueBindingImpl$ELVariableResolver.resolveVariable(ValueBindingImpl.java:571) > > at > > org.apache.commons.el.NamedValue.evaluate(NamedValue.java:124) > > at > > org.apache.commons.el.ComplexValue.evaluate(ComplexValue.java:140) > > at > > org.apache.myfaces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:380) > > ... 47 more > > > > We changed the class "ManagedBeanBuilder" (located in myfaces-impl.jar) > > especially its method "isInValidScope()": > > [..] > > // 'session' scope can reference 'session', 'application', and > > 'none' but not 'request' > > if (targetScope.equalsIgnoreCase("session")) { > > if (valueScope != null) { > > if (valueScope.equalsIgnoreCase("request")) { > > // DISABLED BE ME to avoid the exception! return false; > > } > > } > > return true; > > } > > [..] > > > > After that it works again. Probably it is the reason that the REALM uses a > > request-scope and we use an application-scope. > > > > Our question is, how should we do a login and get the username into our > > property "(String)_currentUserName" when initializing the managed-bean > > "com.mycompany.UserHandlingBackingBean" without getting an > > exception based on the "isInValidScope()" method? > > > > > > Greetings. > > > -- > Alexandre Poitras > Québec, Canada > -- Alexandre Poitras Québec, Canada