I have a couple of questions regarding Preauthentication using SiteMinder scenario....
1). To invalidate a session on principal change, what all should be there in the configuration file? I thought have the attribute "invalidateSessionOnPrincipalChange" = true will be enough. But it doesn't work. I am using "Modify Header" add-on for firefox to add a header that will be used as principalRequestHeader. I connected to the app using once value and if I change the header value and refresh the page, its not getting the new header value. The old one is still the principal user.
2). Is the call to custom UserDetialsService made per request or is it only if no active user session exists for that principalrequestheader ? If it is second case, then how are the roles managed if there is a change in the user permission. I mean, I am attaching the roles to custom User object inside loadUserByUsername method of the Custom UserDetailsService class. So lets say, a user "XYZ" is an admin and he is logged into the app. For the first time, the request goes to loadUserBYUserName method and the roles are retrieved from db and added to User. Now if the user XYZ's permissions are changed on the database then how do we change the roles for this user. He was already logged in and the call to loadUser.. wouldn't happen. This is all assuming that the call to that method made only once per session. If it is per request, it wouldn't matter..
thanks in advance,