Mark St.Godard wrote:
The HttpSessionContextIntegrationFilter should be able to set some
sort of indicator that this is the first logon attempt since it
generates a new SecurityContext.... however this wouldnt work for
remote client authentication?
IMHO we should modify all event-aware AuthenticationProviders to publish
an event on every occasion an authentication is processed, irrespective
of the cache usage or not. There are three reasons for this:
1. The Authentication.getDetails() *should* provide some sort of
identifier (typically a WebAuthenticationDetails, which offers the
HttpSession ID in most cases) and this identifier can be used by the
ApplicationListener to determine what and when to log.
2. Recent changes to Authentication and AbstractSecurityInterceptor have
changed the semantics of Authentication.isAuthenticated():
/**
* Used to indicate to <code>AbstractSecurityInterceptor</code>
whether it
* should present the authentication token to the
* <code>AuthenticationManager</code>. Typically an
* <code>AuthenticationManager</code> (or, more often, one of its
* <code>AuthenticationProvider</code>s) will return an immutable
* authentication token after successful authentication, in which case
* that token can safely return <code>true</code> to this method.
* Returning <code>true</code> will improve performance, as calling the
* <code>AuthenticationManager</code> for every request will no
longer be
* necessary.
*
* <p>
* For security reasons, implementations of this interface should be
very
* careful about returning <code>true</code> to this method unless they
* are either immutable, or have some way of ensuring the properties
have
* not been changed since original creation.
* </p>
*
* @return true if the token has been authenticated and the
* <code>AbstractSecurityInterceptor</code> does not need to
* represent the token for re-authentication to the
* <code>AuthenticationManager</code>
*/
public boolean isAuthenticated();
As such, a DaoAuthenticationProvider (or any other
AuthenticationProvider for that matter) will only be called when a user
is genuinely not authenticated - or the use has changed the
AbstractSecurityInterceptor.alwaysReauthenticate property to false.
3. Most authentication processing filters (certainly those use for CAS,
AuthenticationProcessingFilter/form-based, remember-me, X509) now
publish an InteractiveAuthenticationSuccessEvent when a user logs in.
I would welcome other opinions on this, but it seems we now have a more
comprehensive solution to application event messages than putting then
into AuthenticationProviders.
Cheers
Ben
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
