You have to flush the cache because the user is not the current user.
I've got code ready to commit that does the trick.
- Dave
On 7/26/07, Matt Raible <[EMAIL PROTECTED]> wrote:
You could also reset the authentication object:
// reset the authentication object if current user
107 Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
108 if (auth != null && auth.getPrincipal() instanceof
UserDetails) {
109 User currentUser = (User) auth.getPrincipal();
110 if (currentUser.getId().equals(user.getId())) {
111 auth = new
UsernamePasswordAuthenticationToken(user, user.getPassword(),
user.getAuthorities());
112
SecurityContextHolder.getContext().setAuthentication(auth);
113 }
114 }
From
http://static.appfuse.org/appfuse-service/xref/org/appfuse/service/UserSecurityAdvice.html.
Matt
On 7/26/07, Allen Gilliland <[EMAIL PROTECTED]> wrote:
>
>
> Dave wrote:
> > On 7/26/07, Allen Gilliland <[EMAIL PROTECTED]> wrote:
> >> Hmmm, I don't know that there is no need for that cache. That cache is
> >> used to prevent us from having to hit the db constantly when checking
> >> authentication/authorization. Without it, every single request from
> >> users that are logged in requires extra queries against the db.
> >
> > Good point. I'll figure out how to flush that cache.
>
>
> I took a quick look at it and I think you should be able to lookup the
> "userCache" bean from spring and then call
> userCache.removeUserFromCache(username). The class used for caching is
> this one ...
>
>
http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/providers/dao/cache/EhCacheBasedUserCache.html
>
> Generally speaking I don't like the idea of putting in more code that
> directly tries to access spring beans, but I'm not sure there is any
> other option here.
>
> -- Allen
>
>
> >
> > - Dave
>
--
http://raibledesigns.com
