Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

[Ben Alex]

Venkat Sonnathi wrote:

Hi Ben,
Please find attached the patch for AbstractSecurityInterceptor.java,
Basically, it checks to see if the existing authentication is already
autheticated or not and then invoke
authenticationManager.authenticate.
 

Hi Venkat

I have just committed to CVS various changes to the 
Authentication.isAuthenticated() handling.

Effective herein, AbstractSecurityInterceptor will only call the 
AuthenticationManager if the Authentication.isAuthenticated() == false. 
AbstractSecurityInterceptor does not call 
Authentication.setAuthenticated(true) - instead it leaves this choice to 
the AuthenticationProvider and/or Authentication concrete implementation 
to address.

Most Authentication implementations now provide a mutable 
isAuthenticated() property. By mutable, setAuthenticated(false) is 
guaranteed by the Authentication interface contract to always be 
allowed. This is used by the RMI class to ensure a remotely presented 
Authentication is set to untrusted, ensuring the 
AbstractSecurityInterceptor will trigger authentication.

Permitting setAuthenticated(true) (which would therefore bypass further 
checking at time of security interception) is an implementation choice. 
The main implementation used by Acegi Security, 
UsernamePasswordAuthenticationToken, disallows setAuthenticated(true) 
and instead relies upon the constructor to set the property. This means 
that AuthenticationProviders should be the only classes that use the 
UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[]) 
constructor. On the other hand, any class can freely use the 
UsernamePasswordAuthenticationToken(Object, Object) constructor, as the 
resulting authentication token will not be trusted (ie isAuthenticated() 
will always return false).

Unit tests pass.

Cheers
Ben


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer