repeated authentication of Authentication object

[cjack]

This is my understanding of the SecurityInterceptor mechanics:
For each request a Authentication object is retrieved from the SecureContext. The Authentication object gets authenticated and the authenticated Authentication object gets placed back in the SecureContext.

Question: Why is it necessary to (re)authenticate a Authentication object even if it has already been authenticated in a previous request? Specifically are there any security concerns regarding this procedure or could the (re)authentication also be avoided by simply reusing an authenticated Authentication object?

Thanks for your patience
Chris

[Ben Alex]

From http://www.mail-archive.com/acegisec...msg00498.html:

By constantly re-authenticating, the Authentication is guaranteed to always represent the latest state of the authentication repository. This is important if an account is disabled (how many times have sys admins got "the call" saying, "the GM is with <insert employee here> and he's asked me to ask you to cancel their computer access right away and call him when it's done"). On a more positive note, it also ensures any changes in GrantedAuthority[]s are reflected immediately. At a performance level there is little cost in doing this due to the inclusion of caching interfaces. I hear someone thinking, "doesn't caching undermine that use case just mentioned?". No, because the caching implementations can provide cache eviction methods - they need not be based on a timeout. The point is it's an implementation option, which would not exist if relying on Authentication.isAuthenticated() alone.