Matt Raible wrote:
Here's a link to AppFuse's applicationContext-security.xml file - the filters are specified in the first bean at the top.Matt, did you get it working in the end? As the Contacts Sample is working, it points to configuration. I checked the URL above and couldn't see any issues with the filter configuration. Could another filter (SiteMesh?) be re-creating the HttpSession and conflicting with the session invalidation? Consider this:
http://tinyurl.com/6y4jd
1. HttpSessionContextIntegrationFilter obtains Context from HttpSession and puts it in ContextHolder
2. Session invalidated during view
3. Some object/filter uses HttpServletRequest.getSession() or .getSession(true), which re-creates a new session
4. HttpSessionContextIntegrationFilter obtains a session, and copies ContextHolder Context into it
5. On next request, HttpSessionContextIntegrationFilter finds Context in the HttpSession
The above could explain the behaviour you're observing. Especially as you can ContextHolder.setContext(null) during step 2 and it achieves logout. I'd try commenting out all the other non-Acegi Security filters and progressively re-adding them.
Cheers Ben
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
