Permissions Caching When Session Abandoned ------------------------------------------ Key: JBPORTAL-1538 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1538 Project: JBoss Portal Issue Type: Bug Security Level: Public (Everyone can see) Components: Portal Security Affects Versions: 2.4.1 SP1 Environment: RHEL 5 Workstation FireFox 1.5.0.1.2 Reporter: Mike Millson Assigned To: Julien Viet Starting with an out-of-box portal deployment: 1) Log in as admin 2) Create a role TestRole 3) Create a user TestUser 4) Assign TestRole to TestUser 5) Create a page TestPage and secure it with TestRole 6) Log out 7) Log in as TestUser. You will see the TestPage tab 8) Abandon the TestUser session by closing the browser or deleting the TestUser session cookie 9) Log in as admin 10) Remove TestRole from TestUser 11) Log out 12) Type in the url to the portal (don't use login screen presented after #11 logout) 13) Log in as TestUser 14) The TestPage tab is displayed, even though TestUser no longer has permission to access it. The TestPage tab does not disappear until I log out and re-login as TestUser. I don't think this is a 2nd level cache or query cache issue, as I disabled both and could still reproduce this. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira