On Thu, Jul 28, 2011 at 12:04 AM, Manoj Khangaonkar <[email protected]> wrote: > On Wed, Jul 27, 2011 at 1:26 PM, Filipe Sousa <[email protected]> wrote: >> Hi Manoj, >> >> That is not what I meant. >> >> Suppose I have the following code in a servlet and the user is already >> authenticated >> >> protected void doGet(HttpServletRequest req, HttpServletResponse resp) { >> SecurityUtils.getSubject().isAuthenticated() >> SecurityUtils.getSubject().isAuthenticated() >> } >> >> Is it possible that in the second call isAuthenticated() might return false? >> > > I don'nt think this can happen. > >> I have been using the following pattern: >> >> protected void doGet(HttpServletRequest req, HttpServletResponse resp) { >> String login = SecurityUtils.getSubject().getPrincipal() >> foo(login) >> bar(login) >> } >> >> foo(String login) { >> ... >> } >> >> bar(String login) { >> ... >> } >> >> >> but I was wondering if it is safe to use the following: >> >> protected void doGet(HttpServletRequest req, HttpServletResponse resp) { >> foo() >> bar() >> } >> >> foo() { >> String login = SecurityUtils.getSubject().getPrincipal() >> } >> >> bar() { >> String login = SecurityUtils.getSubject().getPrincipal() >> } >> > > The Subject is associated with the thread. So I do not know of a reason why > this would be unsafe.
But, what about session time out. If a session time out occurs between the two calls, what will return the second call. The same login or null?. I know that in the next http request it will return null, but I don't know what will happen in the same request. Thanks -- Filipe Sousa
