FilterSecurityInterceptor now only executes once per request (improves performance with SiteMesh). Suggested by Sanjiv Jivan.

core/src/main/java/org/acegisecurity/intercept/web/FilterSecurityInterceptor.java

@@ -1,4 +1,4 @@
-/* Copyright 2004 Acegi Technology Pty Limited
+/* Copyright 2004, 2005 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,6 +44,10 @@ import net.sf.acegisecurity.intercept.ObjectDefinitionSource;
  * @version $Id$
  */
 public class FilterSecurityInterceptor extends AbstractSecurityInterceptor {
+    //~ Static fields/initializers =============================================
+
+    private static final String FILTER_APPLIED = "__acegi_filterSecurityInterceptor_filterApplied";
+
     //~ Instance fields ========================================================
 
     private FilterInvocationDefinitionSource objectDefinitionSource;
@@ -64,12 +68,23 @@ public class FilterSecurityInterceptor extends AbstractSecurityInterceptor {
     }
 
     public void invoke(FilterInvocation fi) throws Throwable {
-        InterceptorStatusToken token = super.beforeInvocation(fi);
-
-        try {
+        if ((fi.getRequest() != null)
+            && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)) {
+            // filter already applied to this request, so don't re-do security checking
             fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
-        } finally {
-            super.afterInvocation(token, null);
+        } else {
+            // first time this request being called, so perform security checking
+            if (fi.getRequest() != null) {
+                fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
+            }
+
+            InterceptorStatusToken token = super.beforeInvocation(fi);
+
+            try {
+                fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+            } finally {
+                super.afterInvocation(token, null);
+            }
         }
     }
 

core/src/test/java/org/acegisecurity/MockHttpServletRequest.java

@@ -49,6 +49,7 @@ public class MockHttpServletRequest implements HttpServletRequest {
     //~ Instance fields ========================================================
 
     private HttpSession session = new MockHttpSession();
+    private Map attribMap = new HashMap();
     private Map headersMap = new HashMap();
     private Map paramMap = new HashMap();
     private Principal principal;
@@ -86,11 +87,11 @@ public class MockHttpServletRequest implements HttpServletRequest {
     //~ Methods ================================================================
 
     public void setAttribute(String arg0, Object arg1) {
-        throw new UnsupportedOperationException("mock method not implemented");
+        this.attribMap.put(arg0, arg1);
     }
 
     public Object getAttribute(String arg0) {
-        throw new UnsupportedOperationException("mock method not implemented");
+        return this.attribMap.get(arg0);
     }
 
     public Enumeration getAttributeNames() {

doc/xdocs/changes.xml

@@ -33,6 +33,7 @@
       <action dev="benalex" type="update">User now accepted blank passwords (null passwords still rejected)</action>
       <action dev="benalex" type="update">ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method</action>
       <action dev="benalex" type="update">HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily</action>
+      <action dev="benalex" type="update">FilterSecurityInterceptor now only executes once per request (improves performance with SiteMesh)</action>
       <action dev="benalex" type="fix">Contacts sample web.xml no longer expect Log4j to be in classpath</action>
       <action dev="raykrueger" type="update">JaasAuthenticatinProvider now uses System.property "java.security.auth.login.config"</action>
       <action dev="raykrueger" type="update">JaasAuthenticationCallbackHandler Authentication is passed to handle method setAuthenticatoin removed</action>