Hi,
I faced the problem trying to change membership of currently logged in user.
I have a page Page_A, which has access limited only for users in role Role_A, and a User_A, which is not in this role. Then I perform following steps:
1. I login as User_A. I don't see Page_A in navigation area, where CatalogPortlet is displayed, and this is OK.
2. Then I add User_A to the Role_A (this is done from another browser instance where I'm logged in as admin).
3. As a User_A I hit "Refresh" in a browser, and I still do not see Page_A in navigation area, which seems to be wrong.
4. Attempt to access Page_A directly by constructing URL gives me the 403 error, which means that problem is not only in CatalogPortlet caching user's privileges.
5. I'm logging of the User_A and logging in again as User_A. I can see the Page_A - this is OK
6. I remove user from ROLE_A - and i still have access to PAGE_A, till the next logoff/login.
So, my guess is that user's privileges/membership information is cached until next user's login.
I use out-of-the-box JBoss Portal 2.6.2 (using default Hibernate implementation of User/Role/Membership modules).
I've seen the issue http://jira.jboss.com/jira/browse/JBPORTAL-1708 - "Identity APIs should invalidate cache on update/change of role membership", and tried proposed workaround, turning both query caching and second level cache, but had no luck.
Have I missed something? Is this a bug, or expected behavior?
If this is expected behavior, is there a way to get rid of such caching?
It really stops me from implementing flexible access control with assigning different roles to user on-the-fly programatically.
Thanks in advance.
--
Alexander Syedin
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ
Check Q11. Roles assignment is kept by JAAS until user logout