6 Replies Latest reply on Mar 3, 2008 8:46 AM by Marc

    How to dynamically change security role without logging out



      I have a custom LoginModule derived from some sample code. There, I create a SimpleGroup, "Roles", to store security roles used by my web applications. This "Roles" is then set into the Subject's principal.

      I also have a group of Web applications that are hooked together with Single-Sign On with each web application requiring a different security role that can be found in the "Roles" group. Everything works as expected.

      Now, I am trying to allow a user to change the security roles within a web application session.

      I use SecurityAssociation.getSubject() to get back the current Subject. From the Subject, I retrieved back the Group, "Roles". Finally, from this "Roles" Group, I added additional security roles in the form of Principal.

      However, I notice that Tomcat returns status 403, forbidden, for resources that are protected by security roles that I newly added within a user session. It does not seem to look into what's in "Roles" Group anymore until I log out the current user, and log back in.

      Does Tomcat keep its own cache of user's security roles separate from what's stored in the Subject? Does this have anything to do with SSO? What am I missing?