I mean getSession(false) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mato Mira, Fernando (DIA EMEA/A) Sent: Wednesday, August 24, 2005 1:59 PM To: acegisecurity-developer@lists.sourceforge.net Subject: RE: [Acegisecurity-developer] avoiding reauthentication?
Hello, Doing an authentication against my database takes about half a second, and we can have dozens of requests for one user operation (eg., getting each document from a set of XML documents, this is done like this because it's easier than having one huge XML result that is cut up by the application into individual documents). If we cache, the user cannot login immediately with a new password after changing it. Also, when the cache is invalidated, the provider will try to authenticate with the old password in the middle of a session when the password is changed (always from another application). What's the problem with always checking if there's an HttpSession with a valid Authentication, and only calling the manager if there's none? That should be super fast. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Alex Sent: Wednesday, August 24, 2005 11:30 AM To: acegisecurity-developer@lists.sourceforge.net Subject: Re: [Acegisecurity-developer] avoiding reauthentication? [EMAIL PROTECTED] wrote: >The BasicProcessingFilter is the caller. > > > Hi Fernando Yes, in that case you will have re-authentication. This is because the detection of a BASIC authentication header will cause the AuthenticationManager to be called during each request. We could modify this behaviour to compare it against the HttpSessionContextIntegrationFilter-stored Authentication, although in that case it will mean HttpSessions are needed between invocations. Recall that HttpSessionContextIntegrationFilter can have its allowSessionCreation property set to false, meaning a HttpSession is not unnecessarily created when being used with BASIC or Digest authentication. I am not sure whether the added overhead of session management would exceed the cost of hitting the AuthenticationManager and in turn an AuthenticationProvider that offers caching. If people would like to see BASIC and Digest authentication mechanisms use the HttpSession as an optional parameter, please let me know and we can add it to JIRA. Cheers Ben ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
