Some experiences from integrating the Security Framework into a couple of apps. 1) If security components aren't configured in components.xml (but the servlet filter has been added) java.lang.NullPointerException | at org.jboss.seam.security.filter.SeamSecurityFilter.checkSecurityConstraints(SeamSecurityFilter.java:82) | at org.jboss.seam.security.filter.SeamSecurityFilter.doFilter(SeamSecurityFilter.java:64) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.jboss.seam.servlet.SeamRedirectFilter.doFilter(SeamRedirectFilter.java:32) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) | at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) | at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) | at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) | at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) | at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) | at java.lang.Thread.run()V(Unknown Source) 2) If an empty security constraint element is specified <security-constraint></security-constraint> then an NPE is thrown (sorry, I don't have the trace to hand) 3) +1 for being able to specify 'web-resource-collection' restraints in pages.xml (or have I missed this) 4) If the user is not logged in, and requests a secured page, they get redirected to the securityError.seam page. On this page I have a login box, the user can log in. It would be good if the login is successful, for the user to be redirected to the originally requested page. Is this currently possible (and I've broken something ;) ? Looking good :) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4005286#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...