The User is stored in the session. At the top of TorqueUser.java http://turbine.apache.org/turbine/turbine-2.3.3/xref/org/apache/turbine/services/security/torque/TorqueUser.html
/*** This is data that will survive a servlet engine restart. */ 62 private Hashtable permStorage = null; 63 64 /*** This is data that will not survive a servlet engine restart. */ 65 private Hashtable tempStorage = null; When I restart Tomcat, The tempStorage (ironically) is serialized and saved. The permStorage does not get saved for some reason. Nothing is crashing, catalina.out is clean, and everything else serializes fine. Ross > Date: Fri, 18 Dec 2009 18:17:43 +0100 > From: [email protected] > To: [email protected] > Subject: Re: ACL serialization. > > Sheldon Ross wrote: > > At the start it makes a distinction between permanent storage, > > and temporary. These appear to refer to (database) and (session) > > respectively. The problem lies with the fact that there is no link between > > the two. > > I cannot confirm this. data.getUser() provides the user object from the > session, where it is stored as User.SESSION_KEY. > > Likewise, the ACL for the user that you get with data.getACL() is stored > in the session as AccessControlList.SESSION_KEY. > > > The underlying user account object is stored in permanent storage > > and as such, if you update it's name, email, etc, it updates the permanent > > storage object in memory. However, the session has no record of this. > > It would have, if you manipulate the user object in the session. The > user object has a save()-method. > > > This appears to be a serious limitation for sharing sessions across server > > nodes. > > I guess the problem is just that the user/acl implementation is not > serializable for some reason. > > >> So I set the user and acl when someone logs in via > >> > >> user = TurbineSecurity.getAuthenticatedUser( username, password ); > >> data.setUser(user); > >> > >> and the aforementioned ACL code. > > This is actually part of the session validator code. > > >>> data.save(); > > This only saves the user object to the session, not the ACL. The ACL is > built and saved to the session by the AccessController. > > >>> Any thoughts as to what I'm doing wrong, and how I can get the ACL to > >>> persist with the > >>> session? > > If objects stored in the session are not serializable, Tomcat will log > that during shutdown or during startup. See your Tomcat logs for what > really happens. > > This problem looks strange to me. What session validators, > ACL-implementations or other security-related settings do you have in place? > > Bye, Thomas. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/171222986/direct/01/
