Announcement Announcement Module
No announcement yet.
Why the acegi authenticated only once... Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Why the acegi authenticated only once...

    I use the acegi and cas ,and I write myself authenticationDao with


    I implements rabc.Everything is ok!

    but a strange thing comes:

    I use tomcat5.0.28 to test,only the first time when I visit the secured

    url ,the

    application asks me to login in the cas.After authenticated successfully,I

    close the IE,and visit the same

    url ,it need not authenticate.Even when I restart the tomcat,it need not

    authenticate too.Only when I clear the work directory of tomcat and

    restart again,it works!

    why? :x

  • #2
    I haven't looked at the Acegi code that closely, but I would assume its because the authentication information is still in the session.

    I know that Tomcat 5 attempts to serialize sessions to disk on shutdown and then restore them when its started. I would assume IE is still sending the cookie to the server if your authentication is still valid.

    That's just a guess though.


    • #3
      Wow, that Tomcat behaviour is sure going to catch some people.... Thanks for the info Scott.

      It's also possible that maybe Acegi Security is forwarding the browser back through to the CAS Server which is reauthenticating the user and sending the ticket back to the Acegi Security secured application. Try switching on debug-level logging to get some more clues as to what is happening, if it is not the Tomcat 5 serialization Scott mentioned.


      • #4
        if you want to disable session saving, check this out:

        To enable/disable is one of the options.