Hi Ben, (welcome back :) Great, the isAuthenticated() is the exact key we need to determine this particular even, irrespective of the cache. I also agree that it should not be in the AuthenticationProviders...
Ben, I created a JIRA entry for this (SEC-50), you can assign to me if you want. Cheers, Mark On 8/21/05, Ben Alex <[EMAIL PROTECTED]> wrote: > Mark St.Godard wrote: > > >The HttpSessionContextIntegrationFilter should be able to set some > >sort of indicator that this is the first logon attempt since it > >generates a new SecurityContext.... however this wouldnt work for > >remote client authentication? > > > IMHO we should modify all event-aware AuthenticationProviders to publish > an event on every occasion an authentication is processed, irrespective > of the cache usage or not. There are three reasons for this: > > 1. The Authentication.getDetails() *should* provide some sort of > identifier (typically a WebAuthenticationDetails, which offers the > HttpSession ID in most cases) and this identifier can be used by the > ApplicationListener to determine what and when to log. > > 2. Recent changes to Authentication and AbstractSecurityInterceptor have > changed the semantics of Authentication.isAuthenticated(): > > /** > * Used to indicate to <code>AbstractSecurityInterceptor</code> > whether it > * should present the authentication token to the > * <code>AuthenticationManager</code>. Typically an > * <code>AuthenticationManager</code> (or, more often, one of its > * <code>AuthenticationProvider</code>s) will return an immutable > * authentication token after successful authentication, in which case > * that token can safely return <code>true</code> to this method. > * Returning <code>true</code> will improve performance, as calling the > * <code>AuthenticationManager</code> for every request will no > longer be > * necessary. > * > * <p> > * For security reasons, implementations of this interface should be > very > * careful about returning <code>true</code> to this method unless they > * are either immutable, or have some way of ensuring the properties > have > * not been changed since original creation. > * </p> > * > * @return true if the token has been authenticated and the > * <code>AbstractSecurityInterceptor</code> does not need to > * represent the token for re-authentication to the > * <code>AuthenticationManager</code> > */ > public boolean isAuthenticated(); > > As such, a DaoAuthenticationProvider (or any other > AuthenticationProvider for that matter) will only be called when a user > is genuinely not authenticated - or the use has changed the > AbstractSecurityInterceptor.alwaysReauthenticate property to false. > > 3. Most authentication processing filters (certainly those use for CAS, > AuthenticationProcessingFilter/form-based, remember-me, X509) now > publish an InteractiveAuthenticationSuccessEvent when a user logs in. > > I would welcome other opinions on this, but it seems we now have a more > comprehensive solution to application event messages than putting then > into AuthenticationProviders. > > Cheers > Ben > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Home: http://acegisecurity.sourceforge.net > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
