It appears that when DaoAuthenticationProvider creates a UsernamePasswordAuthenticationToken, it passes in the password from the User object returned from the DAO. This password is coming straight from the DB in my case, and is already SHA encoded. So, we now have a authentication token that contains an encoded password. The first time the user is authenticated, things seem to work (since the Authentication object passed into DaoAuthenticationProvider contains the raw password). However, DaoAuthenticationProvider then returns a new Authentication object that contains the encoded password (if you are using encoding, of course). This new object gets tucked away into the context. Upon later accesses, this new object is pulled out and again passed to DaoAuthenticationProvider. Now when DaoAuthenticationProvider checks the password, it ends up calling "isPasswordValid" passing in the encoded password for the rawPass parameter. The Sha encoder dutifully re-encodes this already encoded password, and things break. Is this a bug, or am I missing something? This could possibly have something to do with the fact that for some reason, in my setup anyway, after the user is authenticated, the isAuthenticated flag of the Authentication token is never set to true, thus forcing Acegi to reauthenticate the user with the authentication token that is stored in the context, which contains the already encoded password.
Thanks, Andy ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer