[jboss-jira] [JBoss JIRA] Created: (SECURITY-504) Hot redeploy does not invalidate AuthCache when flushOnSessionInvalidation="true"

[Ondrej Medek (JIRA)]

Hot redeploy does not invalidate AuthCache when flushOnSessionInvalidation="true"
---------------------------------------------------------------------------------

                 Key: SECURITY-504
                 URL: https://jira.jboss.org/jira/browse/SECURITY-504
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Bug
      Security Level: Public (Everyone can see)
         Environment: JBoss 5.1.0GA
            Reporter: Ondrej Medek
            Assignee: Anil Saldhana


Hi,

AuthCache is still valid, when I hot redeploy my web app. I have set flushOnSessionInvalidation="true". My jboss-web.xml:
<jboss-web>
    <security-domain flushOnSessionInvalidation="true">java:/jaas/blue-tiger</security-domain>
	<context-root>tiger</context-root>
    <max-active-sessions>5000</max-active-sessions>
</jboss-web>

Note: I have an EAR with EJB module, which has jboss.xml:
<jboss>
	<security-domain>java:/jaas/blue-tiger</security-domain>
	<unauthenticated-principal>anonymous</unauthenticated-principal>
	<container-configurations></container-configurations>
</jboss>
and my WAR is deployed separately to the EAR.


Steps to reproduce:
1. Deploy WAR with flushOnSessionInvalidation="true"
2. Log in any user.
3. Change a role of the user in the database.
4. Redeploy the WAR (delete it and copy it to the deploy dir again)
5. Log in as the the same user. Check the user roles by  HttpServletRequest.isUserInRole(String role)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira