Patrick Burleson wrote:
On Wed, 14 Jul 2004 08:24:25 +1000, Ben Alex <[EMAIL PROTECTED]> wrote:
I'm just wondering why Acegi Security fails on the second pass. Your earlier email mentioned a null gets put into the SecureContext, but I'm not sure how or why you're seeing this. A debug-level log would be great.
Best regards Ben
Ben,
The reason it fails, is Weblogic runs the filters again on the same thread in their current order. So when it starts returning up the chain of filters that have been run, the second invocation of the AbstractIntegrationFilter (which was caused by Weblogic applying the filters a second time because of RequestDispatcher.include()) does its job of moving the Authentication object from the SecureContext to the Session. When the filter chain gets back to the first invocation, there is no Authentication object in the SecureContext, and thus null is put in the Session for ACEGI_SECURITY_AUTHENTICATION_KEY, essentially removing it from the session. This occurs on lines 157-174 of AbstractIntegrationFilter.
Of the App Servers I have tested (Resin, Jboss/Jetty, Weblogic) only Weblogic has the behavior of applying the filters again (in the same thread) to RequestDispatcher.include().
If you have the source of Sitemesh 2.0.1 handy and look at com.opensymphony.module.sitemesh.filter.PageFilter, starting at line 44, you can see how they deal with this situation by putting a marker in the session that this filter has already run. Otherwise, they would get caught in an infinite loop, since that filter later calls RequestDispatcher.include().
I can look at adding the same sort of code to Acegi and submitting a patch if you would like. The tricky part will be if someone has more than one IntegrationFilter going and making sure each of them runs at least once. But somehow I see that as being a rare case.
Thanks, Patrick
Hi Patrick
Thanks for the info.
People should only be running one AbstractIntegrationFilter subclass, although they might run more than one processing filter, such as BasicProcessingFilter and AuthenticationProcessingFilter (for form-based authentication) in the same web application.
If you wouldn't mind submitting a patch, I'd be happy to apply it to CVS. I'd write it myself, but don't have access to Weblogic to give it a full test.
Best regards Ben
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer