Matt Raible - 27/Apr/07 02:25 PM Fix: public void attributeAdded(HttpSessionBindingEvent event) {         if (event.getName().equals(EVENT_KEY) && !isAnonymous()) {             SecurityContext securityContext = (SecurityContext) event.getValue();             User user = (User) securityContext.getAuthentication().getPrincipal();             addUsername(user);         // Workaround for Jetty bug (http://www.nabble.com/current-user-count-incorrect-tf3550268.html#a9919134)         } else if (event.getName().equals(AuthenticationProcessingFilter.ACEGI_SECURITY_LAST_USERNAME_KEY)) {             String username = (String) event.getValue();             User user = new User(username);             addUsername(user);         }     }

Alexander Maslov - 30/Apr/07 02:31 AM I do not think it is Jetty's bug. org.acegisecurity.context.HttpSessionContextIntegrationFilter sets attribute ACEGI_SECURITY_CONTEXT_KEY first for anonymous user and attributeAdded is fired. After authentification org.acegisecurity.context.HttpSessionContextIntegrationFilter sets the this attribute with the SAME OBJECT ,some ...SecurityContext don not remember now (with internal data changed of course). But Jetty does not fire attributeReplaces because Jetty uses equal() method to compare new and old values. But ACEGI_SECURITY_CONTEXT_KEY is the same object, so equal() returns TRUE. As a result this setAttribute ignored. Spec does not say how exactly implementation should work with attributes, but for me jetty's behavior looks quite normal. thx for the fix (just do not like that comment "// Workaround for Jetty bug ", of course it's subjective )