>From the patch:
> /**
> * Controls whether the filter will remove the Anonymous token
> * after the request is complete. Since HttpSessionContextIntegrationFilter
> * will create a session for every context that is non-default, this filter
> has
> * the unfortunate result that any access to an anonymous resource will
> result
> * in a session. This can be a big hit for popular sites with thousands of
> * concurrent users where it is necessary to delay the creation of the
> session
> * for as long as possible. This setting can reduce the number of
> * sessions created by hits on anonymous resources like the home page,
> * login page, images, etc.
> *<p>NOTE: this defaults to false for backwards compatability.</p>
> */
Thanks for a great subsystem, guys. The documentation is fantastic,
the build as simple as 1-2-3 and the API well designed. This patch is
against the latest CVS snapshot. Note also that I removed a huge
block of javadoc that doesn't seem to apply - I assume it was a cut
and paste error.
mike
Index: AnonymousProcessingFilter.java
===================================================================
RCS file:
/cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java,v
retrieving revision 1.4
diff -r1.4 AnonymousProcessingFilter.java
43,83d42
< * <P></p>
< *
< * <p>
< * In summary, this filter is responsible for processing any request that has
a
< * HTTP request header of <code>Authorization</code> with an authentication
< * scheme of <code>Basic</code> and a Base64-encoded
< * <code>username:password</code> token. For example, to authenticate user
< * "Aladdin" with password "open sesame" the following header would be
< * presented:
< * </p>
< *
< * <p>
< * <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
< * </p>
< *
< * <p>
< * This filter can be used to provide BASIC authentication services to both
< * remoting protocol clients (such as Hessian and SOAP) as well as standard
< * user agents (such as Internet Explorer and Netscape).
< * </p>
< *
< * <P>
< * If authentication is successful, the resulting [EMAIL PROTECTED]
Authentication} object
< * will be placed into the <code>ContextHolder</code>.
< * </p>
< *
< * <p>
< * If authentication fails, an [EMAIL PROTECTED] AuthenticationEntryPoint}
implementation
< * is called. Usually this should be [EMAIL PROTECTED]
BasicProcessingFilterEntryPoint},
< * which will prompt the user to authenticate again via BASIC authentication.
< * </p>
< *
< * <P>
< * Basic authentication is an attractive protocol because it is simple and
< * widely deployed. However, it still transmits a password in clear text and
< * as such is undesirable in many situations. Digest authentication is also
< * provided by Acegi Security and should be used instead of Basic
< * authentication wherever possible. See [EMAIL PROTECTED]
< * net.sf.acegisecurity.ui.digestauth.DigestProcessingFilter}.
< * </p>
< *
101a61
> private boolean removeAfterRequest = false;
120a81,100
> /**
> * Controls whether the filter will remove the Anonymous token
> * after the request is complete. Since
> HttpSessionContextIntegrationFilter
> * will create a session for every context that is non-default, this
> filter has
> * the unfortunate result that any access to an anonymous resource will
> result
> * in a session. This can be a big hit for popular sites with
> thousands of
> * concurrent users where it is necessary to delay the creation of the
> session
> * for as long as possible. This setting can reduce the number of
> * sessions created by hits on anonymous resources like the home page,
> * login page, images, etc.
> *<p>NOTE: this defaults to false for backwards compatability.</p>
> */
> public void setRemoveAfterRequest(boolean remove) {
> this.removeAfterRequest = remove;
> }
>
> public boolean getRemoveAfterRequest() {
> return removeAfterRequest;
> }
>
132a113
> boolean addedToken = false;
136a118
> addedToken = true;
154c136,144
< chain.doFilter(request, response);
---
> try {
> chain.doFilter(request, response);
> }
> finally {
> if (addedToken && removeAfterRequest) {
> SecurityContextHolder.getContext().setAuthentication(null);
> }
> }
>
