Arthur Taylor wrote:
Oh. I had read 'ev.' as 'evidently' :)
nice :)
Absent changing that, then, is there any recommended mitigation strategy; should we be killing all open and cached sessions whenever there is a permissions change?
permission changes are diffent thing... the compiled permissions are intended to be notified and recalculated whenever the permissions for any of the principals it has been created for is modified. if that doesn't work it's a bug. what the TODO refers to is: the permissions are compiled for the set of principals that have been set to the Subject (most probably upon login). the default implementation retrieves the set from the principal provider configured for that login module... that's the reason for my doubts... forcing the recalculation of the compiled permissions was more or less straight forward: close the existing one and create a new one with the new set of principals. angela
