I haven't understood this part clearly - use of Session with User and Roles. Any use case where session can be used to activate the roles ?
Is it correct to understand that the session is stored in database for validation so that if any user has fiddled over session it can be validated ?How frequently should this validation be implemented on the server side ? I understand that using ORM tool like Hibernate can store the value in persistence layer but wouldn't this additional validation hit performance ?
RBAC is a established model for over a decade. Are most of the security frameworks today based on RBAC ?