In AbstractUserDetailsAuthenticationProvider the authenticate() method calls the additionalAuthenticationChecks() method in a try block and can catch an AuthenticationException. The code in the catch block (line 147 for rel 1.0.1) calls the retrieveUser() and additionalAuthenticationChecks() methods. If the user details used for the call in the try block came from the cache, I understand why this makes sense. However, if cacheWasUsed is false, the call to retrieve the user details obtains the exact same user details.
Perhaps the catch block should only repeat those method calls if cacheWasUsed is true, and throws the caught AuthenticationException if cacheWasUsed is false.
Thanks,
Mark
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
