[EMAIL PROTECTED] wrote:
The BasicProcessingFilter is the caller.
Hi Fernando
Yes, in that case you will have re-authentication. This is because the
detection of a BASIC authentication header will cause the
AuthenticationManager to be called during each request. We could modify
this behaviour to compare it against the
HttpSessionContextIntegrationFilter-stored Authentication, although in
that case it will mean HttpSessions are needed between invocations.
Recall that HttpSessionContextIntegrationFilter can have its
allowSessionCreation property set to false, meaning a HttpSession is not
unnecessarily created when being used with BASIC or Digest
authentication. I am not sure whether the added overhead of session
management would exceed the cost of hitting the AuthenticationManager
and in turn an AuthenticationProvider that offers caching.
If people would like to see BASIC and Digest authentication mechanisms
use the HttpSession as an optional parameter, please let me know and we
can add it to JIRA.
Cheers
Ben
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
