When using permissions I want to make sure that whenever the client is restarted, the permissions are reloaded. I chose to clear the permission cache on server side when loading a new ServerSession. So the implementation in my ServerSession looks like:
I think the idea behind the default implementation of the AccessControlStore is:
1/ The cache is cleared when the database tables responsible for authorization (users, roles, permissions...) are updated.
2/ When a user re-login, if the server is still running we do not need to reload the permissions and can just get them form the server in memory cache.
In our company we develop BSI CRM and BSI Contact Center with Eclipse Scout.
Those are real productive applications with a lot of user. We integrate the application by a lot of customer and in most of the case there are some last tests on the client infrastructure.
I just spoke with developers about your question, and it occurs that they are not using the AccessControlStore provided by Scout (from what I understood they have an improved version or something like that)
Can you define what is "a lot" of concurrent users in your case?
If you run some tests, please let us know. I think there is no reason (beside time and money) why we did not move their solution (or a similar one) inside the Eclipse Scout Framework. So do not hesitate to report your findings and your needs. We should be able to move forward on this topic.