Announcement Announcement Module
Collapse
No announcement yet.
Authentication /Session maintenance. Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication /Session maintenance.

    I have a confusion regarding Acegi handling of authentication and session maintenance.

    Let me describe it.
    AuthenticationManager does the authentication. There is a process ( a filter) that stores the Authentication object in the ContextHolder. HttpSessionContextIntegrationFilter sync that with the HttpSession.

    Now, on the next request, looks like AuthenticationManager tries to authenticate again, so caching is left to the AuthenticationProvider, correct? I guess Dao Provider have caching, not any other provider.

    Shouldn't the AuthenticationManager make sure that it authenticate only if the user is not already authenticated? rather that authenticating everytime?


    I have a case where I am trying to authenticate from non-web-based application, and I use the AuthenticationManager to do that. To acheive this, I will have to write the code to make sure I store the information in the ContextHolder. Similarly, is there anything in Acegi that we can have authentication caching without using the Dao provider?

  • #2
    Shouldn't the AuthenticationManager make sure that it authenticate only if the user is not already authenticated? rather that authenticating everytime?
    I'm not quite sure what you're getting at here. Sometimes people have the misconception that authentication only takes place at logon but the credentials have to be authenticated for each call/request. Whether that means checking a cache or going through the full process of loading from a database, LDAP or whatever it still has to be done.

    I have a case where I am trying to authenticate from non-web-based application, and I use the AuthenticationManager to do that. To acheive this, I will have to write the code to make sure I store the information in the ContextHolder. Similarly, is there anything in Acegi that we can have authentication caching without using the Dao provider?
    CAS, Dao and X509 authentication all have caching. What provider are you using?

    Comment


    • #3
      I am using JaasAuthenticationProvider.
      Although I can write my own jaas provider and use the Cache as other providers are doing but, rather that doing it in each provider, Shouldn't it be done at the AuthenticationManager/ProviderManager level, so don't have to be in each provider.

      Comment


      • #4
        It could be done in AuthenticationManager, but then things like renewing tokens in SSO environments and alike wouldn't be flexible. You'd also need a way of keying on the principal Object. The problem is the principal Object usually changes on return from an AuthenticationDao.

        You could always write a CachingAuthenticationManager yourself, or add caching to the JAAS provider. If you did the latter, we'd be happy to add it to CVS.

        Comment

        Working...
        X