Mark St.Godard wrote:
The HttpSessionContextIntegrationFilter should be able to set some
sort of indicator that this is the first logon attempt since it
generates a new SecurityContext however this wouldnt work for
remote client authentication?
IMHO we should modify all event-aware
Hi Ben, (welcome back :)
Great, the isAuthenticated() is the exact key we need to determine
this particular even, irrespective of the cache.
I also agree that it should not be in the AuthenticationProviders...
Ben, I created a JIRA entry for this (SEC-50), you can assign to me
if you want.
Cameron, this does not sound like the desired semantics. I have also
confirmed that this is happening on the contacts sample.
Ben, I can create a JIRA entry and fix, test and commit this today.
Cheers,
Mark
Re:
--
DaoAuthenticationProvider.java
Mark, you might be pretty aware of this, but just in case,
I am not that sure I get the point, but IMHO it might be a potential
problem here. Reading the documented method call in there
if (!cacheWasUsed) {
// Put into cache
this.userCache.putUserInCache(user);
// As this appears to be an
At this level (i.e. at the Dao provider level), I'm not sure you can
differentiate between a login with an existing cache entry and the
authentication that takes part as part of each invocation.
How would you define a logout in the scenario defined above (assuming
it didn't involve removing