Tim Kettering wrote:

Okay, allow me to take back what I said. I later realized that the user in session would have nothing to do with where the voters would be obtaining the user object from, so if I was properly removing the user from the SecurityContextHolder, then everything should be working right. So I went back and double checked my code, and turns out I was performing the logout operation in the Render phase, not Action, even though I was saying otherwise on my previous email. Now don’t I look all foolish. J

So, a big mea culpa and apologies to all.


Hi Tim

Thanks for the clarification. Just for the benefit of the archives, at *no time* should people be accessing the HttpSession directly to work with the Authentication. They should *only* use the SecurityContextHolder (or ContextHolder in 0.8.3 and earlier) to interact with the current principal's identity or logged in state.

Cheers
Ben



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to