Change user-logged authorities on the fly

Hello guys!
I am a newbie with Acegi, and I only know how to use it in the basic way. But now I need to do some advanced things ...

I am currently looking for the way to modify the authorities binded to a logged user by himself, in order to change the menu options for that user in "real time" (with no logout). If the user performs a logout and then get logged in again, everything works ok and the new menu options for the new grant are available.

I need this behaviour because there is a permission that is granted (and stored in database) when the user click in a button after accept the terms of use of my app (this is made only once for each user).

I get the current authorities with this code:

Code:

---

Authentication currentUser = securityContextHolder.getContext().getAuthentication();
UserDetailsImpl userDetails = (UserDetailsImpl) currentUser.getPrincipal();
GrantedAuthority gas[] =userDetails.getAuthorities();

---

After this, I add some new grants to gas array, and then put it again into the currentUser

Code:

---

userDetails.setAuthorities(gas);

---

My web interface is made using acegi taglibs in order to render the menu only with granted options:

Code:

---

<authz:authorize ifAnyGranted="MENU1,MENU2">

---

But, after refreshing or rendering again the JSP, it looks like the new granted options are not available (or the user authorities are not updated) and I can't see the new menu options that I should see.

Anyone could help me whit this? Any idea?

Thanks in advance!

Okay ... I found the solution.

Acegi securitycontext stores the user information in the ContextHolder. And you can get all the information of the authenticated user.

You can change the authorities in this way:

Code:

---

SecurityContext sc = SecurityContextHolder.getContext();
Authentication currentUser = sc.getAuthentication();
UserDetailsImpl userDetails = (UserDetailsImpl) currentUser.getPrincipal();

ArrayList authorities = new ArrayList(2);
authorities.add(new GrantedAuthorityImpl("DUMMY"));
                        userDetails.setAuthorities((GrantedAuthority[])authorities.toArray(new GrantedAuthority[]{}));

---

But this is only valid for the life of the current thread. If you need to make persistent this every time you invoke the above code:

Code:

---

SecurityContext sc = SecurityContextHolder.getContext();
Authentication currentUser = sc.getAuthentication();
UserDetailsImpl userDetails = (UserDetailsImpl) currentUser.getPrincipal();

---

You have to re-aunthenticate the authentication token (in my issue, an UsernamePasswordAuthenticationToken) in this way:

Code:

---

UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(currentUser.getPrincipal(),currentUser.getCredentials(),(GrantedAuthority[])authorities.toArray(new GrantedAuthority[]{}));

sc.setAuthentication(authentication);
SecurityContextHolder.setContext(sc);

---

Now, the changes will be available every time you need it.