Here is something else I am wrestling with. When a user hits a protected page and authenticates, subsequent authentication requests for every page clicked on occurs. I have been reading that there is some sort of caching going on, but I still have my authenticate() method called even-though the user has been validated as having access roles for that session. So, maybe once again I am missing it, but, I could cache the credentials on my own if I could get a session timeout event and the Principal it was using for that session. I could just do a quick lookup on the principal to see if I have it already -- if so return it, else get a new one.
Am I thinking correctly? Chris -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
