Announcement Announcement Module
No announcement yet.
reloading GrantedAuthority[] in Authentication? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • reloading GrantedAuthority[] in Authentication?

    during the course of a user's session, he/she may gain more granted authorities

    how can I reload this array in the Authentication object?

    the UsernamePasswordAuthenticationToken contains a getAuthorities() method, but not a set counterpart

    I can reload the array for my custom User object, (I subclass net.sf.acegisecurity.UserDetails) but that doesn't seem to matter when I try to access the secured resource that requires the newly added granted authority

    I'm not using a caching system, since I'm in a web environment, which seems to call my custom AuthenticationDao's loadUserByUsername method only once, during the initial login, and never again during successive secured resource access attempts


  • #2
    ok, here's a better question; how do I force a reauthentication?
    currently I'm using a FilterSecurityInterceptor, and have the alwaysReauthenticate property set to false and would like to keep it that way
    do I just null something perhaps?


    • #3
      ok, I tried doing this in my web layer
      SecurityContextHolder.getContext().getAuthenticati on().setAuthenticated(false);
      seems to do the trick, though I'm not sure if it's the safest or recommended way to achieve what I want

      please advise if it's not, thanks


      • #4
        There were few threads about this moths back, but I can't remember what others
        suggested. SecurityContext.getContext().setAuthentication(nul l) sounds okay to me.

        If you're caching authentication objects, you should delete this Authentication
        from cache aswell or you may run on very hard-to-track-down problems..


        • #5
          setting it to null forces a login (prompt for principle and credentials) in addition to a reauthentication


          • #6
            SecurityContextHolder.getContext().getAuthenticati on().setAuthenticated(false) will do the trick and is intended to work. Just remember to also evict any element from your UserDetailsCache (if applicable).