Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

Wed, 22 Jun 2005 10:21:32 -0700 

Hi Ben,

Thanks for the changes. I looked over the changes.

Regards,
--Venkat.

On 6/22/05, Ben Alex <[EMAIL PROTECTED]> wrote:
> Venkat Sonnathi wrote:
> 
> >Hi Ben,
> >
> >Please find attached the patch for AbstractSecurityInterceptor.java,
> >Basically, it checks to see if the existing authentication is already
> >autheticated or not and then invoke
> >authenticationManager.authenticate.
> >
> >
> Hi Venkat
> 
> I have just committed to CVS various changes to the
> Authentication.isAuthenticated() handling.
> 
> Effective herein, AbstractSecurityInterceptor will only call the
> AuthenticationManager if the Authentication.isAuthenticated() == false.
> AbstractSecurityInterceptor does not call
> Authentication.setAuthenticated(true) - instead it leaves this choice to
> the AuthenticationProvider and/or Authentication concrete implementation
> to address.
> 
> Most Authentication implementations now provide a mutable
> isAuthenticated() property. By mutable, setAuthenticated(false) is
> guaranteed by the Authentication interface contract to always be
> allowed. This is used by the RMI class to ensure a remotely presented
> Authentication is set to untrusted, ensuring the
> AbstractSecurityInterceptor will trigger authentication.
> 
> Permitting setAuthenticated(true) (which would therefore bypass further
> checking at time of security interception) is an implementation choice.
> The main implementation used by Acegi Security,
> UsernamePasswordAuthenticationToken, disallows setAuthenticated(true)
> and instead relies upon the constructor to set the property. This means
> that AuthenticationProviders should be the only classes that use the
> UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[])
> constructor. On the other hand, any class can freely use the
> UsernamePasswordAuthenticationToken(Object, Object) constructor, as the
> resulting authentication token will not be trusted (ie isAuthenticated()
> will always return false).
> 
> Unit tests pass.
> 
> Cheers
> Ben
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Home: http://acegisecurity.sourceforge.net
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to