CJ wrote: > Scenario is: an Administrator disables or deletes a user account, while the > user > is logged in. The user's Authentication should be revoked from that moment on. > What is the recommended approach for this in Acegi?
I'd suggest forcing reauthentication for each secure object request by setting AbstractSecurityInterceptor.alwaysReauthenticate = true. That will cause your AuthenticationManager to be requeried for each authorization request. The actual configuration will then vary on a per-provider basis, but assuming you're using DaoAuthenticationProvider it simply becomes a matter of evicting the cached UserDetails object from AbstractUserDetailsAuthenticationProvider.userCache. That will cause the next secure object request to go through to your database, and the invalidated/deleted account will thus be detected. Cheers Ben ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer