Alright, I solved the problem. The TorqueObject.java I had apparently was old. (I swear I just downloaded the source about a month ago)
It didn't implement Serializable, therefore the obj in TorqueUser was not saving. Which was odd because I figured it should crash, but everything else about TorqueUser was serializing fine. How does half an object serialize, and the other parts not? Oh well, now I just have to figure out how to get the activesessions to save. My sessions restore, and I can perform actions/access pages correctly. But my admin list of who's logged on is empty. > Date: Fri, 18 Dec 2009 18:17:43 +0100 > From: [email protected] > To: [email protected] > Subject: Re: ACL serialization. > > Sheldon Ross wrote: > > At the start it makes a distinction between permanent storage, > > and temporary. These appear to refer to (database) and (session) > > respectively. The problem lies with the fact that there is no link between > > the two. > > I cannot confirm this. data.getUser() provides the user object from the > session, where it is stored as User.SESSION_KEY. > > Likewise, the ACL for the user that you get with data.getACL() is stored > in the session as AccessControlList.SESSION_KEY. > > > The underlying user account object is stored in permanent storage > > and as such, if you update it's name, email, etc, it updates the permanent > > storage object in memory. However, the session has no record of this. > > It would have, if you manipulate the user object in the session. The > user object has a save()-method. > > > This appears to be a serious limitation for sharing sessions across server > > nodes. > > I guess the problem is just that the user/acl implementation is not > serializable for some reason. > > >> So I set the user and acl when someone logs in via > >> > >> user = TurbineSecurity.getAuthenticatedUser( username, password ); > >> data.setUser(user); > >> > >> and the aforementioned ACL code. > > This is actually part of the session validator code. > > >>> data.save(); > > This only saves the user object to the session, not the ACL. The ACL is > built and saved to the session by the AccessController. > > >>> Any thoughts as to what I'm doing wrong, and how I can get the ACL to > >>> persist with the > >>> session? > > If objects stored in the session are not serializable, Tomcat will log > that during shutdown or during startup. See your Tomcat logs for what > really happens. > > This problem looks strange to me. What session validators, > ACL-implementations or other security-related settings do you have in place? > > Bye, Thomas. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/171222986/direct/01/
