Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

Venkat Sonnathi Thu, 19 May 2005 07:24:20 -0700

On 5/18/05, Mansoor, Ghazenfer (EDS) <[EMAIL PROTECTED]> wrote:
> 
> >-----Original Message-----
> >Mansoor, Ghazenfer (EDS) wrote:
> >
> >> How about adding this check at one central place,
> >AuthenticationManager?
> >>
> >>I am doing this and I do not see any problem. I set the
> >authenticate to
> >>true after successful authentication, and check for
> >isAuthentication()
> >>before every call.
> >>
> >What sets your Authentication.isAuthenticated() back to false
> >at the start of each request?
> 
> Why should it be set to false at the start of each request? It should be
> set to false only at the end of each user session.
> Logout code will set the context to null (Authentication object prior to
> .9 version) and user no longer have access to Authentication Object. New
> session will created a new Authentication Object to start.
>


I am also a bit puzzled as to why we should reset the flag at the
start of each request? In a typical web app, authentication is done
once per session.

Any pointers to how SecurityContext is propagated for RMI calls?

Regards,
--Venkat.


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

Reply via email to