Hi Ben and
all
I've occasionally
seen some odd behaviour with access to an anonymous client being allowed with
one request and disallowed with the next, but today I managed to track down what's happening.
Running CVS HEAD
from a couple of days ago, I can log in to our application as one user, make a
number of requests, then log off and log in as a different one. If I manage
to get the right thread from the thread pool (tomcat), it will still have a SecureContext bound to the thread for the first user, and the request will execute with that context. Eek.
This is all using
basic authentication, with the acegi filters ordered thusly (in the
filterChainProxy): basicProcessingFilter,
anonymousProcessingFilter, securityEnforcementFilter.
Is this by design? I
would have thought that somewhere in maybe the FilterChainProxy there'd be a
finally clause that cleared the SecureContext from the
thread.
Cheers
Tom
************************************************************************
The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.
************************************************************************
