Stephan Koops <Stephan.Koops <at> web.de> writes: > > > Multiple times I've found myself needing the Request instance in checkSecret() > on Guard so that I can store the authenticated user's information on the
> Request as an attribute. That allows me to later use it in authorize(). > Add a new attribute "authenticatedUser" to the Request from type > of a new class AuthenticatedUser (for example). At times data types created with the goal similar to the proposed class AuthenticatedUser) are very expensive. Typical example, would be a kind of UserSecurityContext class that describes user access rights based on role membership. Often, the construction of such classes takes a lot of computations and database queries). This is actually very typical for more or less serious access control mechanism for any system that involves extensive user interaction. Obviously, one solution to this problem is caching of such user security context information. Serge
