I just taught you could also use the jsf-security project made by some
people from Oracle :
http://jsf-security.sourceforge.net/
It should help you.
On 12/28/05, Alexandre Poitras <[EMAIL PROTECTED]> wrote:
> Your problem comes from the fact you are trying to retrieve a
> request-scoped value from a session-scoped bean wich is illegal in
> JSF. It was probably a bug in the previous version that could have
> give you some weird exceptions.
>
> But I think the bug come from the request class design. Why is the
> getRemoteUser method in the request class when it is clearly related
> to the session, ie you need to invalidate the session to log off tthe
> user. Doesn't make sense to me. The security is so messy in the J2EE
> world. I hope they get some work done on this area in the future.
>
> Anyway, back to your problem. You need to initialize the property by
> hand in your backing bean even if it looks like a kind of hack.
>
> Hope it helps!
>
> On 12/28/05, EXTERNAL Willinger Markus (Diplomand; CC/EMT1)
> <[EMAIL PROTECTED]> wrote:
> >
> >
> > Hello,
> >
> > We are using Tomcat 5.5, JDK 1.5, MyFaces 1.1. In our web-application we get
> > an error when trying to "login", after upgrading MyFaces from version 1.09
> > to 1.1. Here is our login process in steps:
> >
> > 1.) Login via tomcats standard login function (j_username, j_password) using
> > REALM
> > 2.) Initializing the managed-bean
> > "com.mycompany.UserHandlingBackingBean":
> >
> > <managed-bean>
> >
> > <managed-bean-name>userHandlingBackingBean</managed-bean-name>
> > <managed-bean-class>
> > com.mycompany.UserHandlingBackingBean
> > </managed-bean-class>
> >
> > <managed-bean-scope>session</managed-bean-scope>
> > <!-- sets the _currentUserName - property
> > in the UserHandlingBackingBean -->
> > <managed-property>
> >
> > <property-name>_currentUserName</property-name>
> >
> > <value>#{facesContext.externalContext.remoteUser}</value>
> > </managed-property>
> > </managed-bean>
> >
> > This managed-bean tries to set the current logged-in user (its username) in
> > the property "(String)_currentUserName" (using
> > #{facesContext.externalContext.remoteUser}). Our login
> > process works fine with MyFaces 1.09. But with MyFaces 1.1 we get the
> > following exception:
> >
> > Caused by: javax.faces.FacesException: Property _currentUserName references
> > object in a scope with shorter lifetime than the target scope session
> >
> > at
> > org.apache.myfaces.config.ManagedBeanBuilder.initializeProperties(ManagedBeanBuilder.java:154)
> > at
> > org.apache.myfaces.config.ManagedBeanBuilder.buildManagedBean(ManagedBeanBuilder.java:55)
> > at
> > org.apache.myfaces.el.VariableResolverImpl.resolveVariable(VariableResolverImpl.java:311)
> > at
> > org.apache.myfaces.el.ValueBindingImpl$ELVariableResolver.resolveVariable(ValueBindingImpl.java:571)
> > at
> > org.apache.commons.el.NamedValue.evaluate(NamedValue.java:124)
> > at
> > org.apache.commons.el.ComplexValue.evaluate(ComplexValue.java:140)
> > at
> > org.apache.myfaces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:380)
> > ... 47 more
> >
> > We changed the class "ManagedBeanBuilder" (located in myfaces-impl.jar)
> > especially its method "isInValidScope()":
> > [..]
> > // 'session' scope can reference 'session', 'application', and
> > 'none' but not 'request'
> > if (targetScope.equalsIgnoreCase("session")) {
> > if (valueScope != null) {
> > if (valueScope.equalsIgnoreCase("request")) {
> > // DISABLED BE ME to avoid the exception! return false;
> > }
> > }
> > return true;
> > }
> > [..]
> >
> > After that it works again. Probably it is the reason that the REALM uses a
> > request-scope and we use an application-scope.
> >
> > Our question is, how should we do a login and get the username into our
> > property "(String)_currentUserName" when initializing the managed-bean
> > "com.mycompany.UserHandlingBackingBean" without getting an
> > exception based on the "isInValidScope()" method?
> >
> >
> > Greetings.
>
>
> --
> Alexandre Poitras
> Québec, Canada
>
--
Alexandre Poitras
Québec, Canada
