Sheldon Ross wrote: > At the start it makes a distinction between permanent storage, > and temporary. These appear to refer to (database) and (session) > respectively. The problem lies with the fact that there is no link between > the two.
I cannot confirm this. data.getUser() provides the user object from the session, where it is stored as User.SESSION_KEY. Likewise, the ACL for the user that you get with data.getACL() is stored in the session as AccessControlList.SESSION_KEY. > The underlying user account object is stored in permanent storage > and as such, if you update it's name, email, etc, it updates the permanent > storage object in memory. However, the session has no record of this. It would have, if you manipulate the user object in the session. The user object has a save()-method. > This appears to be a serious limitation for sharing sessions across server > nodes. I guess the problem is just that the user/acl implementation is not serializable for some reason. >> So I set the user and acl when someone logs in via >> >> user = TurbineSecurity.getAuthenticatedUser( username, password ); >> data.setUser(user); >> >> and the aforementioned ACL code. This is actually part of the session validator code. >>> data.save(); This only saves the user object to the session, not the ACL. The ACL is built and saved to the session by the AccessController. >>> Any thoughts as to what I'm doing wrong, and how I can get the ACL to >>> persist with the >>> session? If objects stored in the session are not serializable, Tomcat will log that during shutdown or during startup. See your Tomcat logs for what really happens. This problem looks strange to me. What session validators, ACL-implementations or other security-related settings do you have in place? Bye, Thomas. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
