If I only built 0.9 snapshots more regularly than every 2-3 months, I would have probably come across this earlier. But apparently I didn't build a new snapshot for 0.9 until today, and as a result spent most of the day tracking down this issue.
We are using the HttpSessionContextIntegrationFilter along with the AnonymousProcessingFilter. However we are using our own login process with a spring controller (not using the acegi supplied login filter). So after I built a new snapshot today, the user context would disappear every request. So I'm poking around with the debugger and it seems to me, apparently that sometime in late-July, some code was added to AnonymousProcessingFilter in CVS to clear the anonymous token at end of the request so it didnt force unnecessary session creation. I can see that the filter sets a flag at the start of the filter chain to indicate whether it actually set an anonymous token or not, then, that in conjunction with the 'removeAfterRequest' flag is used to determine whether hte token is cleared or not. However one thing I cannot figure out is. Lets say a visitor hits the site. Since there is no token, the anonymous token is set for that request. The user logs in the site, and the site controller sets the new authentication object in the SecurityContext, and sends the response back to the user. But however, since the AnonymousProcessingFilter had initially set the flag at the start of the request, it would then proceed to clear the token that the login controller had just set. I tried setting the 'removeAfterRequest' flag to false, and my application worked normally again. So I think there's something funky w/ this process. I'm not seeing (at least at the moment) how AnonymousProcessingFilter can appropriately handle not deleting the authentication object at end of request if it's been changed sometime after the APF first touched it and when it is handling the other end of the chain. My gut says this is a bug, but since this code was committed back in July, I find it strange that nobody else has encountered this by now... is there something I'm missing? -tim ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
