My UserDao.loadByUsername() returns a UserDetails implemented by a User class. Hibernate is the loader of the User, and the User/UserDetails becomes the Authentication object for Acegi.
So basically this means I have a detached User entity in subsequent requests.
I want to be able to reuse the User in other requests, and so I had a filter which reattached the object to the current OSIV session. This worked, except when I found out that concurrent requests by the user would make the application bomb :-) The User has a collection of Roles and Hibernate does not allow collections to be associated with more than one session.
So what's the correct solution? Do I just simply not use the User/Authentication object? Reload the User from the database on each request?