I store only the id in the session because I want to pull the user from the database freshly on each request. That's the safest security-wise. If something happens such as a change in roles or permissions, or deactivation, their permissions change on the next request instead of the next session.
I store the current user in the request, not the session (look again). That's so I only do the lookup once. Then the user is available for the remainder of the request processing. Does that help? Chas. Erick Fleming wrote: > @Derek, Sorry after reading through the posts I forgot you metioned it. > > @Charles, Is there a reason you store CurrentUserId and CurrentUser in > session? > > On Tue, Oct 28, 2008 at 12:56 PM, Derek Chen-Becker > <[EMAIL PROTECTED]> wrote: >> SecurityHelpers is what I was referring to before when I said I copied what >> was in Mapper. It uses the helpers for random strings, hash, crypto, etc. >> >> Derek >> >> On Mon, Oct 27, 2008 at 10:25 PM, efleming969 <[EMAIL PROTECTED]> wrote: >>> There is also SecurityHelpers which has some of this included. >>> >>> On Oct 27, 9:35 pm, efleming969 <[EMAIL PROTECTED]> wrote: >>>> What does Jasypt offer that can't be done using java.security or >>>> javax.crypto? >>>> >>>> On Oct 27, 3:16 am, Tim Perrett <[EMAIL PROTECTED]> wrote: >>>> >>>>> Yeah - I usually would add dependecies o a project unless really >>>>> nesicary, but as it was only 150k all in I thought what the hell >>>>> Seems to be working quite nicely so far :-) >>>>> Cheers, Tim >>>>> Sent from my iPhone >>>>> On 27 Oct 2008, at 04:59, "Charles F. Munat" <[EMAIL PROTECTED]> wrote: >>>>>> Very nice. I'm going to check this Jasypt out when I get a chance. >>>>>> You >>>>>> just drop in the jar and then you can use it? >>>>>> Chas. >>>>>> Tim Perrett wrote: >>>>>>> FYI - for completeness, this is what I did in my model class: >>>>>>>>> http://blog.timperrett.com/2008/10/27/adding-jasypt-encryption-to-you... >> > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---
