Why the acegi authenticated only once...

[jameli]

I use the acegi and cas ,and I write myself authenticationDao with

hibernate.

I implements rabc.Everything is ok!

but a strange thing comes:

I use tomcat5.0.28 to test,only the first time when I visit the secured

url ,the

application asks me to login in the cas.After authenticated successfully,I

close the IE,and visit the same

url ,it need not authenticate.Even when I restart the tomcat,it need not

authenticate too.Only when I clear the work directory of tomcat and

restart again,it works!

why? :x

[Scott Battaglia]

I haven't looked at the Acegi code that closely, but I would assume its because the authentication information is still in the session.

I know that Tomcat 5 attempts to serialize sessions to disk on shutdown and then restore them when its started. I would assume IE is still sending the cookie to the server if your authentication is still valid.

That's just a guess though.

[Ben Alex]

Wow, that Tomcat behaviour is sure going to catch some people.... Thanks for the info Scott.

It's also possible that maybe Acegi Security is forwarding the browser back through to the CAS Server which is reauthenticating the user and sending the ticket back to the Acegi Security secured application. Try switching on debug-level logging to get some more clues as to what is happening, if it is not the Tomcat 5 serialization Scott mentioned.

[Scott Battaglia]

if you want to disable session saving, check this out:
http://jakarta.apache.org/tomcat/tom...g/manager.html

To enable/disable is one of the options.