Dunstan Tom wrote:
Uh, I'm not using HttpSessionContextIntegrationFilter. Is it necessary
to use it even if you're using basic authentication and never store
anything in the http session? If so, the name is somewhat misleading.
Yeah, it should be used but in your case with
HttpSessionContextIntegrationFilter.allowSessionCreation = false. At an
encapsulation level it's good to have one class responsible for
SecurityContextHolder management, and that's the purpose of
HttpSessionContextIntegrationFilter. I'd be reluctant to put finally
blocks into either FilterChainProxy or BasicProcessingFilter as it
starts to break this encapsulation.
Cheers
Ben
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
