There is no support for refreshing an existing login's associated roles without reauthenticating.
Thanks for the quick response Scott. I am wondering if JBossGenericPrincipal can be made a public class. The security roles I have is stored in my callerPrincipal. I am experimenting subclassing JBossSecurityMgrRealm, and in the getCachedPrincpal method, return a subclass of JBossGenericPrincipal that overrides getRoles() and hasRole(). I am currently stuck at JBossGenericPrincipal being a package private class that I cannot subclass.
One more note: I tested the approach of subclassing JBossSecurityMgrRealm as mentioned above. It works well. I have to recompile JBoss to make JBossGenericPrincipal a public class, along with making public a few of its methods. Would you please make this class public? I am using JBoss 4.0.1.
P.S. I would need
public class JBossGenericPrincipal
public Principal getAuthPrincipal()
public Principal getCallerPrincipal()
public Object getCredentials()
public Subject getSubject()
I don't think I want to support that level of integration as its too tightly coupled to the implementation. There should be some type of refresh capability of the user roles. Create a feature request in jira with your changes and I'll see how this can be supported without requiring subclassing and access to the user representation.
Look at the JIRA issue:
The workaround is in:
For JBoss5 going forward, we may solve this in a better way than the proposed workaround.
We were able to finally workaround this issue without resorting to turning off all authentication caching in 4.2.2GA.
First I flush the authentication cache for the user who needs their roles refreshed.
Then use the new WebAuthentication class that Anil added (see:
to logout the user and programmatically log them right back in.
Anil, do you see any drawbacks to this approach?
Hope this helps!