Scenario is: an Administrator disables or deletes a user account, while the user is logged in. The user's Authentication should be revoked from that moment on. What is the recommended approach for this in Acegi?
Here's what I've tried so far: I tried keeping a map of all users' Authentication objects, and then calling Authentication.setAuthenticated(false) when the corresponding user is disabled. That properly sends the user back to the login screen but then causes infinite loops at login -- presumably because the invalid Authentication is stuck in the user's session and never gets replaced. I also tried keeping a map of HttpSession objects, so i could invalidate() them directly; but the container (Tomcat 5) doesn't like that; the session facade seems to use weak reference mapping, so my HttpSession reference ends up being null when I try to access it next. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer