This is making me crazy, it's 4:00am here but I'm still debugging....The problem is that I cannot login with correct username and password. From the log file I saw that the authenticator's authenticate method was always called twice after my single click. The first call it got the correct user name and password from the identity but the second call comes with a username but null password. Thus there was always the NoResultException caught in the authenticator. I'm not using the rule based security for now, everything was seam-gen -ed (the authenticator thing and related configuration). I looked into the seam's security package but did not find the cause of my problem.
My application use the "just-in-time" login. By default the available options was shown on the page and when the user tries to do sth, if the action requirs login, then a small login form is rendered on the same page. After login, all the not permitted option buttons disappear and if the button he just clicked is not allowed for him, an error message will appear. (I think this kind of UI is more user-friendly). Really strange thing was, the "just-in-time" login form worked on some pages and did not work (the error was like described above) on some other pages. I cannot predict on which page it works and on which page it does not. All errors were caused by twice submissions of the login form.