RE: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

Tue, 17 May 2005 15:21:49 -0700 

 
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Ben Alex
Sent: Tuesday, May 17, 2005 6:00 PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Question about
AbstractSecurityInterceptor

Venkat Sonnathi wrote:

>Hi,
>
>I am exploring AcegiSecurity by following the contacts sample 
>application. I observed that in 
>AbstractSecurityInterceptor.beforeInvocation method 
>authenticationManager.authenticate is being called for every request.
>Why is it? Can it be optimized to check if authentication is already 
>done and skip this step?
>
>For every click the above method is called twice: once as part of 
>FilterSecurityInterceptor and once as part of MethodSecurityInterceptor

>and if we optimize/check for authentication then the call to 
>authenticationManager.authenticate can be avoided.
>
>Thanks,
>--Venkat.
>
>  
>
>Yes, it could be optimised using a range of strategies such as putting
a flag into the ContextHolder 
> (SecurityContextHolder in CVS and from 0.9.0). The trouble is then
causing that flag to reset at the start of each 
> request so that only the first AbstractSecurityInterceptor invocation
causes delegation to the AuthenticationManager.
> Indeed if the request was actually authenticated during the request by
an authentication mechanism (eg BASIC/Digest/form
>  post) we should accept that AuthenticationManager invocation and not
require any AbstractSecurityInterceptor to repeat 
> it.
How about adding this check at one central place, AuthenticationManager?
I am doing this and I do not see any problem. I set the authenticate to
true after successful authentication, and check for isAuthentication()
before every call.


> We could refresh the SecurityContextHolder flag this in the
HttpSessionContextIntegrationFilter, but then we're reducing
> its focus on simply storing the SecurityContext between HTTP requests.
Better yet, we could have startRequest() and 
> finishRequest() methods in the SecurityContext to encapsulate this
sort of logic and have the 
> HttpSessionContextIntegrationFilter call them. Indeed that might prove
beneficial for Captcha integration, which also 
> needs to set a once-per-request style flag. What do others think?

> I have not performed any benchmarks, but given that caching is
performed in AuthenticationProvider implementations I
> would not suspect the double-up of AuthenticationManager invocations
would represent an urgent performance constraint at 
> this time.

You are only considering DAO authentication provider here, how about the
other providers that do not have caching? 

Regards
Ghazenfer


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to