On Wed, 14 Jul 2004 08:24:25 +1000, Ben Alex <[EMAIL PROTECTED]> wrote: > I'm just wondering why Acegi Security fails on the second pass. Your > earlier email mentioned a null gets put into the SecureContext, but I'm > not sure how or why you're seeing this. A debug-level log would be great. > > Best regards > Ben >
Ben, The reason it fails, is Weblogic runs the filters again on the same thread in their current order. So when it starts returning up the chain of filters that have been run, the second invocation of the AbstractIntegrationFilter (which was caused by Weblogic applying the filters a second time because of RequestDispatcher.include()) does its job of moving the Authentication object from the SecureContext to the Session. When the filter chain gets back to the first invocation, there is no Authentication object in the SecureContext, and thus null is put in the Session for ACEGI_SECURITY_AUTHENTICATION_KEY, essentially removing it from the session. This occurs on lines 157-174 of AbstractIntegrationFilter. Of the App Servers I have tested (Resin, Jboss/Jetty, Weblogic) only Weblogic has the behavior of applying the filters again (in the same thread) to RequestDispatcher.include(). If you have the source of Sitemesh 2.0.1 handy and look at com.opensymphony.module.sitemesh.filter.PageFilter, starting at line 44, you can see how they deal with this situation by putting a marker in the session that this filter has already run. Otherwise, they would get caught in an infinite loop, since that filter later calls RequestDispatcher.include(). I can look at adding the same sort of code to Acegi and submitting a patch if you would like. The tricky part will be if someone has more than one IntegrationFilter going and making sure each of them runs at least once. But somehow I see that as being a rare case. Thanks, Patrick ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
