I'm using the Acegi Security framework in a Web project for a few days now, and now I'm not sure whether I don't understand the meaning of Authentication.isAuthenticated(), or there is an issue with the ProviderManager (and possibly DaoAuthenticationProvider).
The basic question is: Why are already authenticated Authentication instances authenticated again and again (in the AbstractSecurityInterceptor)? They are passed to the AuthenticationManager even if Authentication.isAuthenticated() would return true, but this is never checked. Is this by design or is this an issue? If this is an issue, there might be another one. Since the "authenticated" property is set to true in the AbstractSecurityInterceptor after the AuthenticationManager has been called, the authentication in the web tier would at least be done twice for one session. This happens because the AuthenticationProcessingFilter calls the AuthenticationManager to authenticate the Session and then sends a redirect without processing the chain. So setAuthenticated(true) would never be called in the first request anyway. So: 1) Why doesn't the AuthenticationManager set setAuthenticated(true)? 2) Why doesn't either the AbstractSecurityInterceptor or any AuthenticationManager implementation skip the authentication if isAuthenticated() returns true? I'll submit a patch, if you can tell me what to patch. Andreas ----------------------------------------------------------------------- Andreas Prohaska fon: +49 89 278257-42 Apeiron GmbH fax: +49 89 278257-49 Stahlgruberring 22 email: [EMAIL PROTECTED] 81829 München web: http://www.apeiron.de ----------------------------------------------------------------------- ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
