I'm using Jetspeed 2.2.0. In our application, we allow an administrative user to add a user to a group while the target user is logged in.
In this scenario, the Subject held in the session and the RequestContext will not contain the new group principal object. Looking at SecurityValveImpl.getSubject(RequestContext request), it looks to be working as designed. I've written a service to extend SecurityValveImpl in order to allow the Subject held in the session and the RequestContext to be updated when we mark a specific user to have invalid principals. Essentially what I'm doing is removing the Subject reference from the session, and then returning null from resolveSubjectFromContext in order to cause getSubject to call UserManager.getSubject and update it's reference. This seems to work just fine, I'm curious if anyone sees any potential problems with doing this type of thing, am I bending the rules? Daniel
