I'm having a few issues when upgrading AppFuse to use Acegi Security 1.0. I've documented some of these issues in other posts, but I figured it would be best to write a detailed step-by-step log of issues I encountered while upgrading.
The first thing I did to upgrade was to simply replace acegi-security-1.0.0-RC2.jar with acegi-security-1.0.0.jar. I'm using Spring 1.2.8. My applicationContext-security.xml file is located at:
1. The first issue I see is a ClassCastException in an HttpSessionAttributeListener that counts the number of logged in users.
The above line throws an exception because securityContext.getAuthentication().getPrincipal() returns a String instead of a User. This happens before I even login. I'm guessing Acegi is stuffing an anonymous object into the session with the HttpSessionContextIntegrationFilter.ACEGI_SECURITY _CONTEXT_KEY key.
User user = (User) securityContext.getAuthentication().getPrincipal();
I have my securityFilter mapped to /j_security_check, *.html and *.jsp. My welcome-file is index.jsp, which redirects to mainMenu.html. Since mainMenu.html is protected, Acegi forwards to login.jsp. Below is my objectDefinitionSource from filterInvocationInterceptor:
Even after logging in, my HttpSessionAttributeListener doesn't get fired again. However, if I logout and log back in, it *will* get fired and the cast will work properly. If I clear all my cookies and hit my application again, I can reproduce the ClassCastException.
Is there something that changed in the anonymous user processing logic (or in filterInvocationInterceptor) between RC2 and 1.0? It seems like RC2 did not stuff anonymous users into the session, whereas 1.0 does.
2. Reloading my application results in the following error:
I'm guessing this has something to do with the new "save the request parameters" logic introduced in 1.0.0? The strange thing is this happens when I'm not even doing anything, so Acegi is putting something into my session (a cookie?) that's not serializable.
[appfuse-webwork] WARN [http-8080-Processor24] [/appfuse-webwork].writeObject(1461) | Cannot serialize session attribute ACEGI_SAVED_REQUEST_KEY for session 31C8785E3615152E56FED21AC9795A92
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1075) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:291)
For these reasons, I believe I'm probably better off backing down to RC2.