[Acegisecurity-developer] avoiding reauthentication, again

Fri, 02 Sep 2005 15:53:02 -0700 

I paid some attention to the thread about "avoiding reauthentication"
when it was active a week or so ago, because I've had some similar
experiences with acegi requireing reauthentication.  but I wasn't
using the latest snapshot, so I kept quiet.

so I've just updated against HEAD, and it looks to me as though acegi
is reauthenticating more than it should, or more than I would expect,
anyhow.  I've got to think this is due to a configuration error on my
part, so I could use some guidance.

here's the thing:

I notice the following in AbstractSecurityInterceptor :

    protected InterceptorStatusToken beforeInvocation(Object object) {

        ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource()
                                             .getAttributes(object);

        if (attr != null) {

           ...
        
        }
        else {

            // Set Authentication object (if it exists) to be unauthenticated
            if (SecurityContextHolder.getContext().getAuthentication() != null) 
{
                Authentication authenticated = 
SecurityContextHolder.getContext()
                                                                    
.getAuthentication();
                authenticated.setAuthenticated(false);
                
SecurityContextHolder.getContext().setAuthentication(authenticated);
        }
      }

so what appears to happen is that a request for some protected page
will go through, authentication will be triggered, and after
authentication everything proceeds fine.  but then as soon as any
non-protected resource (an image, CSS, etc.) is requested, the
'authenticated' flag on the authentication object is set to false, so
the next time around we'll need to reauthenticate.

what am I missing here?

-- 

joe


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to