Tim Kettering wrote:
Okay, allow me to take back what I said. I later realized that the
user in session would have nothing to do with where the voters would
be obtaining the user object from, so if I was properly removing the
user from the SecurityContextHolder, then everything should be working
right. So I went back and double checked my code, and turns out I was
performing the logout operation in the Render phase, not Action, even
though I was saying otherwise on my previous email. Now don’t I look
all foolish. J
So, a big mea culpa and apologies to all.
Hi Tim
Thanks for the clarification. Just for the benefit of the archives, at
*no time* should people be accessing the HttpSession directly to work
with the Authentication. They should *only* use the
SecurityContextHolder (or ContextHolder in 0.8.3 and earlier) to
interact with the current principal's identity or logged in state.
Cheers
Ben
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer