Ben Alex wrote:
Andreas Brenk wrote:
You could use a HttpSessionListener to keep the coupling to Acegi Security separate from your controller.
See http://forum.springframework.org/viewtopic.php?t=1106 for an earlier discussion.
Perhaps this should be mentioned in the upgrade readme.
Regards, Andreas
Matt Raible wrote:
With Acegi Security 0.7.0, I was able to use session.invalidate() to logout a user - much like I do when using container-managed authentication. However, with 0.8.0, I've found that I have to use ContextHolder.setContext(null). Is there anyway to change back to the old behavior so I don't have any Acegi Security-specific code in my app - so users can easily switch back to CMA (non-Acegi Security based) if they want?
Hi Matt
Which container are you using? What does DEBUG-level logging show for HttpSessionContextIntegrationFilter? It seems to work OK for me in Tomcat 5.5 with the Contacts Sample application's logout.jsp.
For some reason, calling session.invalidate() (in a filter or in a JSP) doesn't seem to help get rid of any Acegi authentication information. Adding ContextHolder.setContext(null) in a filter that's mapped to logout.jsp seems to be the only thing that works for me. Here's my LoginFilter that gets hit:
http://static.raibledesigns.com/downloads/appfuse/api/org/appfuse/webapp/filter/LoginFilter.java.html
And my console is printing out:
[appfuse] DEBUG [http-8080-Processor3] LoginFilter.doFilter(72) | logging out 'mraible'
Matt
Matt
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
