I paid some attention to the thread about "avoiding reauthentication" when it was active a week or so ago, because I've had some similar experiences with acegi requireing reauthentication. but I wasn't using the latest snapshot, so I kept quiet.
so I've just updated against HEAD, and it looks to me as though acegi is reauthenticating more than it should, or more than I would expect, anyhow. I've got to think this is due to a configuration error on my part, so I could use some guidance. here's the thing: I notice the following in AbstractSecurityInterceptor : protected InterceptorStatusToken beforeInvocation(Object object) { ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource() .getAttributes(object); if (attr != null) { ... } else { // Set Authentication object (if it exists) to be unauthenticated if (SecurityContextHolder.getContext().getAuthentication() != null) { Authentication authenticated = SecurityContextHolder.getContext() .getAuthentication(); authenticated.setAuthenticated(false); SecurityContextHolder.getContext().setAuthentication(authenticated); } } so what appears to happen is that a request for some protected page will go through, authentication will be triggered, and after authentication everything proceeds fine. but then as soon as any non-protected resource (an image, CSS, etc.) is requested, the 'authenticated' flag on the authentication object is set to false, so the next time around we'll need to reauthenticate. what am I missing here? -- joe ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer