Hi, I'm using Tomcats build in form-based auth mechanism and a JDBCRealm with usernames and roles from my DB.
It can happen that a user does a login and later due to some workflow he either obtains or looses a role. I can do the insert/delete of those roles without a problem in my DB. Unfortunately as long as the user stays logged on the webapp Tomcat seems to cache the role information as it was when the user previously performed his login. Means in detail that my DB is up-to-date but every request.isUserInRole() is not and gives me either true, although the role is already deleted or false, although I provided that role already. Is there any better way to update Tomcats security system to use the current roles and not to force a logoff and relogin? I have no idea at the moment where Tomcat stores the role info after login so that I could somehow update this info at the same time I update my DB. I hope someone can provide my a hint if and how this can be done. I hoped there would be some opposite feature of request.isUserInRole() like response.setUserRole() or something... Thx. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]