"Kenworthy, Edward" wrote:
>
> Is that because jBoss should call it but doesn't, or it shouldn't so it
> doesn't ?
It shouldn't, because it's stateless, i.e. it doesn't track user
login/logout.
>
> Doesn't that mean that it would give the wrong results given the following,
> reasonable scenario:
>
> 1)User Edward logs in. Is currently assigned to role SalesManager.
> 2)ServerLoginModule binds role SalesManager to Edward.
> 3)Edward logs off jBoss (stays logged on to some other service so the
> Subject remains in memory as Subject is shared across services).
> 4)Administrator modifies Edward's roles, removes SalesManager and adds
> FinancialAdvisor and ComplianceOfficer.
> 5)User Edward logs in and ServerLoginModule binds role FinancialAdvisor and
> ComplianceOfficer to Edward. However he still has the role of SalesManager
> associated as well.
Yes, the problem that you point out exists, and this is the common
problem for all caches - they may become outdated.
The only good solution that I know is to make the cache time-limited and
to purge old info from it.
Say, if we set the time limit to 30 min, the change of Edward's roles
will come into force not more than in 30 min, but on the other hand
ServerLoginModule will be called for re-authentication every 30 min.
Such approach may seem worse that login/logout tracking, but it is good
for scalability (e.g., web user may leave the system without logout and
will keep taking server memory), also it is the general idea of JBoss
architecture.
Time-limited cache is not implemented yet, but it is in my todo list.
Oleg
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
