Announcement Announcement Module
No announcement yet.
Understanding HttpSessionContextIntegrationFilter Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Understanding HttpSessionContextIntegrationFilter

    Having a conceptual block; hope someone will take pity. The idea behind HttpSessionContextIntegrationFilter is that when a request is made, Acegi will first check to see if there is an Authentication object in the session (i.e., if the user has previously authenticated and the session is valid). This is required because otherwise the authentication would be performed for each request.

    So far, so good. However, I've created my own little test AuthenticationDao, and what I'm finding is that it gets called every request. So, HttpSessionContextIntegrationFilter is not working as I understand it. Is this the intended behavior, or have I misconfigured something? If it is the intended behavior, then I'm confused as to how you avoid doing the authentication for each request.

    (The filter orders are correct).


  • #2
    Well, after much hair-pulling, it turns out that HttpSessionContextIntegrationFilter was not the problem. This feature (authenticating once only) simply didn't work. However the failure was masked if you used caching, which apparently everyone did. Turn off caching and you are forced to authenticate every time.

    Instead of making the call to authenticate in AbstractSecurityInterceptor conditional on isAuthenticated, it's called every time regardless. (>= 0.9, the call is conditional on whether isAuthenticated returns true as you might expect). I actually discovered an unrelated post where Ben says turning caching off in DAO authentication would cause it to authenticate each time, so that's where I discovered it was intentional. Seems convoluted to use a separate caching mechnism when you are already storing it in the session. It also means you would have to match your session and cache timeouts for this to work.

    However the problem was masked as long as you were using caching. There's actually a post