See AuthorizingRealm.clearCachedAuthorizationInfo - that should do the trick. You should call that method when the user's authorization state changes (e.g. roles associations, directly assigned permissions, etc)
If you don't want to do that (don't want to call your realm's implementation every time you change security state elsewhere in your app), then my personally preferred approach is to not use AuthorizingRealm at all - I usually subclass AuthenticatingRealm directly and implement the authorization methods directly, relying on Hibernate and its 2nd-level cache to relieve any performance hit of traversing object graphs (user.getRoles(), role.getPerrmissions()). This is the best way if you 1) changes to a Subject/User's security assignments must be immediately reflected instead of waiting for them to log out _and_ 2) want the best possible performance to ensure these 'check every time' operations don't result in lots of queries to the database. I hope that helps! Cheers, Les On Tue, Dec 23, 2008 at 5:14 PM, Marc Dworkin <[email protected]> wrote: > Hi All, > > Forwarding this to this list as it may be the more appropriate. > > Thanks! > > Marc > > ----- Forwarded Message ---- > *From:* Marc Dworkin <[email protected]> > *To:* Grails Users <[email protected]> > *Sent:* Tuesday, December 23, 2008 2:37:03 PM > *Subject:* [grails-user] JSecurity Cache > > Hi, > > > > I am building an app where authorization is a dynamically determined by > domain object properties. I chose to use JSecurity, wrote a realm that > encapsulates the authorization logic and have been using the > jsec:hasPermission tag to filter content. > > > > My problem is that it appears that JSecurity is cache-ing authorization, > and so not picking up when it changes. How do I turn off this cache-ing, > or how can I programmatically clear the cache? > > > > Thanks! > > > > Marc >
