[jboss-user] [JBoss Portal] - Refreshing user membership information without logoff

[asyedin]

Hi,
I faced the problem trying to change membership of currently logged in user.

I have a page Page_A, which has access limited only for users in role Role_A, and a User_A, which is not in this role. Then I perform following steps:

1. I login as User_A. I don't see Page_A in navigation area, where CatalogPortlet is displayed, and this is OK.
2. Then I add User_A to the Role_A (this is done from another browser instance where I'm logged in as admin).
3. As a User_A I hit "Refresh" in a browser, and I still do not see Page_A in navigation area, which seems to be wrong.
4. Attempt to access Page_A directly by constructing URL gives me the 403 error, which means that problem is not only in CatalogPortlet caching user's privileges.
5. I'm logging of the User_A and logging in again as User_A. I can see the Page_A - this is OK
6. I remove user from ROLE_A - and i still have access to PAGE_A, till the next logoff/login.

So, my guess is that user's privileges/membership information is cached until next user's login.

I use out-of-the-box JBoss Portal 2.6.2 (using default Hibernate implementation of User/Role/Membership modules).

I've seen the issue http://jira.jboss.com/jira/browse/JBPORTAL-1708 - "Identity APIs should invalidate cache on update/change of role membership", and tried proposed workaround, turning both query caching and second level cache, but had no luck.

Have I missed something? Is this a bug, or expected behavior?
If this is expected behavior, is there a way to get rid of such caching?
It really stops me from implementing flexible access control with assigning different roles to user on-the-fly programatically. 

Thanks in advance.

-- 
Alexander Syedin

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4101640#4101640

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4101640