1 Reply Latest reply on Nov 23, 2007 7:57 AM by bdaw

    Refreshing user membership information without logoff

    asyedin

      Hi,
      I faced the problem trying to change membership of currently logged in user.

      I have a page Page_A, which has access limited only for users in role Role_A, and a User_A, which is not in this role. Then I perform following steps:

      1. I login as User_A. I don't see Page_A in navigation area, where CatalogPortlet is displayed, and this is OK.
      2. Then I add User_A to the Role_A (this is done from another browser instance where I'm logged in as admin).
      3. As a User_A I hit "Refresh" in a browser, and I still do not see Page_A in navigation area, which seems to be wrong.
      4. Attempt to access Page_A directly by constructing URL gives me the 403 error, which means that problem is not only in CatalogPortlet caching user's privileges.
      5. I'm logging of the User_A and logging in again as User_A. I can see the Page_A - this is OK
      6. I remove user from ROLE_A - and i still have access to PAGE_A, till the next logoff/login.

      So, my guess is that user's privileges/membership information is cached until next user's login.

      I use out-of-the-box JBoss Portal 2.6.2 (using default Hibernate implementation of User/Role/Membership modules).

      I've seen the issue http://jira.jboss.com/jira/browse/JBPORTAL-1708 - "Identity APIs should invalidate cache on update/change of role membership", and tried proposed workaround, turning both query caching and second level cache, but had no luck.

      Have I missed something? Is this a bug, or expected behavior?
      If this is expected behavior, is there a way to get rid of such caching?
      It really stops me from implementing flexible access control with assigning different roles to user on-the-fly programatically.

      Thanks in advance.

      --
      Alexander Syedin