[jboss-jira] [JBoss JIRA] Created: (SECURITY-504) Hot redeploy does not invalidate AuthCache when flushOnSessionInvalidation="true"

Hot redeploy does not invalidate AuthCache when flushOnSessionInvalidation="true" --------------------------------------------------------------------------------- Key: SECURITY-504 URL: https://jira.jboss.org/jira/browse/SECURITY-504 Project: PicketBox (JBoss Security and Identity Management) Issue Type: Bug Security Level: Public (Everyone can see) Environment: JBoss 5.1.0GA Reporter: Ondrej Medek Assignee: Anil Saldhana Hi, AuthCache is still valid, when I hot redeploy my web app. I have set flushOnSessionInvalidation="true". My jboss-web.xml: <jboss-web> <security-domain flushOnSessionInvalidation="true">java:/jaas/blue-tiger</security-domain> <context-root>tiger</context-root> <max-active-sessions>5000</max-active-sessions> </jboss-web> Note: I have an EAR with EJB module, which has jboss.xml: <jboss> <security-domain>java:/jaas/blue-tiger</security-domain> <unauthenticated-principal>anonymous</unauthenticated-principal> <container-configurations></container-configurations> </jboss> and my WAR is deployed separately to the EAR. Steps to reproduce: 1. Deploy WAR with flushOnSessionInvalidation="true" 2. Log in any user. 3. Change a role of the user in the database. 4. Redeploy the WAR (delete it and copy it to the deploy dir again) 5. Log in as the the same user. Check the user roles by HttpServletRequest.isUserInRole(String role) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira