> Since getPrincipal already has a signature of Object, why > can't it be allowed to store the user object sans password > instead of only the user name as string. Then in my provider, > I can prepare my user object in anyway I like, whether it be > string (user name) or an object with some info and then cast > it accordingly in my view .
So you're proposing DaoAuthenticationProvider returns an Authentication object (specifically UsernamePasswordAuthenticationToken) that has as its Principal the User, rather than the current User.getUsername() String? DaoAuthenticationProvider uses authentication.getPrincipal() in which it expects a String to be presented. We would need to have DaoAuthenticationProvider detect if the presented Authentication.getPrincipal() object is a String or User, and handle it accordingly. Aside from this, I can't see any problems with this approach. I also think we should overwrite the password in the User object before passing it to the AuthenticationEvent and/or using it as the returned Authentication.getPrincipal() value. Would doing this cause concerns for anyone? Ben ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
