I've been having a peculiar problem with Acegi in our web application. To give you a little bit of context, it's a web app built on Spring and it runs in Tomcat. The problem occurs when an administrator suspends a user account while the user is logged in. This effectively changes the "enabled" flag in the database. It also evicts the user object from the cache, forcing Acegi to authenticate the user against the database instead of the cache. This throws a DisabledException error and the SecurityEnforcementFilter tries to redirect the user back to the authentication entry point which is the expected behavior. But this causes the application to go into a loop, hosing the system.
After the user is disabled, the system tries to take the user back to the entry point which I believe is set through the loginFormUrl property of the AuthenticationProcessFilterEntryPoint bean. Now I've read some posts here that say that this loginFormUrl must not be defined as a secure resource in the objectDefinitionSource of the filterInvocationInterception bean. Is this what's causing the infinite loop? I've examined the source code and I can't seem to find any potential for infinite loops when an AuthenticationException gets thrown.
Any insight would be much appreciated.