Venkat Sonnathi wrote:
Hi Ben,
Please find attached the patch for AbstractSecurityInterceptor.java,
Basically, it checks to see if the existing authentication is already
autheticated or not and then invoke
authenticationManager.authenticate.
Hi Venkat
I have just committed to CVS various changes to the
Authentication.isAuthenticated() handling.
Effective herein, AbstractSecurityInterceptor will only call the
AuthenticationManager if the Authentication.isAuthenticated() == false.
AbstractSecurityInterceptor does not call
Authentication.setAuthenticated(true) - instead it leaves this choice to
the AuthenticationProvider and/or Authentication concrete implementation
to address.
Most Authentication implementations now provide a mutable
isAuthenticated() property. By mutable, setAuthenticated(false) is
guaranteed by the Authentication interface contract to always be
allowed. This is used by the RMI class to ensure a remotely presented
Authentication is set to untrusted, ensuring the
AbstractSecurityInterceptor will trigger authentication.
Permitting setAuthenticated(true) (which would therefore bypass further
checking at time of security interception) is an implementation choice.
The main implementation used by Acegi Security,
UsernamePasswordAuthenticationToken, disallows setAuthenticated(true)
and instead relies upon the constructor to set the property. This means
that AuthenticationProviders should be the only classes that use the
UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[])
constructor. On the other hand, any class can freely use the
UsernamePasswordAuthenticationToken(Object, Object) constructor, as the
resulting authentication token will not be trusted (ie isAuthenticated()
will always return false).
Unit tests pass.
Cheers
Ben
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer