Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java
===================================================================
diff -u -r1aeb1a8e497e3dc07173d5c9da597c491bd352be -rc2cee57555afd519f8592f17626a21f41499fcac
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java	(.../OrgManageAction.java)	(revision 1aeb1a8e497e3dc07173d5c9da597c491bd352be)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java	(.../OrgManageAction.java)	(revision c2cee57555afd519f8592f17626a21f41499fcac)
@@ -44,9 +44,12 @@
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.UserOrganisation;
 import org.lamsfoundation.lams.usermanagement.UserOrganisationRole;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.lamsfoundation.lams.util.MessageService;
 import org.lamsfoundation.lams.util.WebUtil;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -115,7 +118,7 @@
 		log.debug("orgType:"+orgManageForm.getType());
 		List<OrgManageBean> orgManageBeans = new ArrayList<OrgManageBean>();
 		//if(getService().isUserSysAdmin(username)){
-		Integer userId = getService().getUserByLogin(request.getRemoteUser()).getUserId();
+		Integer userId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
 		if(request.isUserInRole(Role.SYSADMIN) || getService().isUserInRole(userId, orgId, Role.COURSE_ADMIN) || getService().isUserInRole(userId, orgId, Role.COURSE_MANAGER)){
 			Integer type;
 			if(orgManageForm.getType().equals(OrganisationType.ROOT_TYPE)){
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserAction.java
===================================================================
diff -u -rbd8f520de2f68177edd4b56458ba2427033b7286 -rc2cee57555afd519f8592f17626a21f41499fcac
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserAction.java	(.../UserAction.java)	(revision bd8f520de2f68177edd4b56458ba2427033b7286)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserAction.java	(.../UserAction.java)	(revision c2cee57555afd519f8592f17626a21f41499fcac)
@@ -82,24 +82,22 @@
             HttpServletResponse response) throws Exception {
 		// retain orgId to return to userlist
 		Integer orgId = WebUtil.readIntParam(request,"orgId");
-		if(orgId != null) {
-		    request.setAttribute("org",orgId);
-		}
 		Organisation org = (Organisation)getService().findById(Organisation.class,orgId);
 		OrganisationType orgType = org.getOrganisationType();
 		Boolean isSysadmin = request.isUserInRole(Role.SYSADMIN);
 		
-		request.setAttribute("rolelist",filterRoles(rolelist,isSysadmin, orgType));
+		request.getSession().setAttribute("rolelist",filterRoles(rolelist,isSysadmin, orgType));
 		// set canEdit for whether user should be able to edit anything other than roles
 		request.setAttribute("canEdit",isSysadmin);
-		request.setAttribute("locales",locales);
+		request.getSession().setAttribute("locales",locales);
 		
 		// editing a user
 		Integer userId = WebUtil.readIntParam(request,"userId",true);
 		DynaActionForm userForm = (DynaActionForm)form;
 		if(userId != null) {
 			log.debug("got userid to edit: "+userId);
 			User user = (User)getService().findById(User.class,userId);
+			request.getSession().setAttribute("user", user);
 			BeanUtils.copyProperties(userForm, user);
 			userForm.set("password",null);
 			
@@ -108,6 +106,8 @@
 			while(iter.hasNext()){
 			    UserOrganisation uo = (UserOrganisation)iter.next();
 			    if(uo.getOrganisation().getOrganisationId().equals(orgId)){
+			    	request.getSession().setAttribute("uo", uo);
+			    	request.getSession().setAttribute("uors", uo.getUserOrganisationRoles());
 			        Iterator iter2 = uo.getUserOrganisationRoles().iterator();
 			        String[] roles = new String[uo.getUserOrganisationRoles().size()];
 			        int i=0;
@@ -122,6 +122,7 @@
 			    }
 			}
 			SupportedLocale locale = getService().getSupportedLocale(user.getLocaleLanguage(),user.getLocaleCountry());
+			request.getSession().setAttribute("locale", locale);
 			userForm.set("localeId",locale.getLocaleId());
 			
 		}else{
@@ -131,20 +132,20 @@
 				String defaultLocale = Configuration.get(ConfigurationKeys.SERVER_LANGUAGE);
 				log.debug("defaultLocale: "+defaultLocale);
 				SupportedLocale locale = getService().getSupportedLocale(defaultLocale.substring(0,2),defaultLocale.substring(3));
+				request.getSession().setAttribute("locale", locale);
 				userForm.set("localeId",locale.getLocaleId());
 			}catch(Exception e){
                 log.debug(e);				
 			}
 		}
-		
+		userForm.set("orgId", org.getOrganisationId());
+
 		Organisation parentOrg = org.getParentOrganisation();
 		if(parentOrg!=null){
-			request.setAttribute("pOrgId",parentOrg.getOrganisationId());
-			request.setAttribute("pOrgName",parentOrg.getName());
+			request.getSession().setAttribute("parentOrg",parentOrg);
 		}
-		request.setAttribute("orgId",orgId);
-		request.setAttribute("orgName",org.getName());
-		request.setAttribute("orgType",orgType.getOrganisationTypeId());
+		request.getSession().setAttribute("org",org);
+		request.getSession().setAttribute("orgType",orgType);
 		return mapping.findForward("user");
 	}
 	
@@ -178,6 +179,7 @@
 		return allRoles;
 	}
 	
+	@SuppressWarnings("unchecked")
 	private IUserManagementService getService(){
 		if(service==null){
 			WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet().getServletContext());
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java
===================================================================
diff -u -r1aeb1a8e497e3dc07173d5c9da597c491bd352be -rc2cee57555afd519f8592f17626a21f41499fcac
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java	(.../UserManageAction.java)	(revision 1aeb1a8e497e3dc07173d5c9da597c491bd352be)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java	(.../UserManageAction.java)	(revision c2cee57555afd519f8592f17626a21f41499fcac)
@@ -25,6 +25,7 @@
 package org.lamsfoundation.lams.admin.web;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 
@@ -37,15 +38,17 @@
 import org.apache.struts.action.ActionForm;
 import org.apache.struts.action.ActionForward;
 import org.apache.struts.action.ActionMapping;
-import org.apache.struts.action.ActionMessage;
-import org.apache.struts.action.ActionMessages;
 import org.lamsfoundation.lams.usermanagement.Organisation;
 import org.lamsfoundation.lams.usermanagement.OrganisationType;
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
+import org.lamsfoundation.lams.usermanagement.dto.UserManageBean;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.lamsfoundation.lams.util.MessageService;
 import org.lamsfoundation.lams.util.WebUtil;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -70,13 +73,13 @@
 	private static IUserManagementService service;
 	private static MessageService messageService;
 	
+	@SuppressWarnings("unchecked")
 	public ActionForward execute(ActionMapping mapping,
             ActionForm form,
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
 		// get id of org to list users for
-		ActionMessages errors = new ActionMessages();
 		Integer orgId = WebUtil.readIntParam(request,"org",true);
 		if(orgId==null){
 			orgId = (Integer)request.getAttribute("org");
@@ -107,7 +110,7 @@
 		request.setAttribute("orgType",orgType.getOrganisationTypeId());
 		
 		
-		Integer userId = getService().getUserByLogin(request.getRemoteUser()).getUserId();
+		Integer userId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
 		Organisation orgOfCourseAdmin = (orgType.getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) ? pOrg : organisation;
         // check permission
 		if(request.isUserInRole(Role.SYSADMIN)){
@@ -120,33 +123,13 @@
 			return mapping.findForward("error");
 		}
 		
-		// get list of users in org
-		List users = getService().getUsersFromOrganisation(orgId);
-		Collections.sort(users);
 		
 		// create form object
 		UserListDTO userManageForm = new UserListDTO();
 		userManageForm.setOrgId(orgId);
 		userManageForm.setOrgName(orgName);
-		
-		// populate form object
-		List<UserManageBean> userManageBeans = new ArrayList<UserManageBean>();
-		for(int i=0; i<users.size(); i++) {
-			User user = (User)users.get(i);
-			UserManageBean userManageBean = new UserManageBean();
-			BeanUtils.copyProperties(userManageBean, user);
-			List roles;
-			try{
-				roles = getService().getRolesForUserByOrganisation(user, orgId);
-				Collections.sort(roles);
-			} catch(NullPointerException e){
-				roles = new ArrayList();
-				log.debug("no roles found for user: "+user);
-			}
-			userManageBean.setRoles(roles);
-			userManageBeans.add(userManageBean);
-		}
-		
+		List<UserManageBean> userManageBeans = getService().getUserManageBeans(orgId);
+		Collections.sort(userManageBeans);
 		userManageForm.setUserManageBeans(userManageBeans);
 		request.setAttribute("UserManageForm", userManageForm);
 		
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java
===================================================================
diff -u -r1aeb1a8e497e3dc07173d5c9da597c491bd352be -rc2cee57555afd519f8592f17626a21f41499fcac
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java	(.../UserOrgAction.java)	(revision 1aeb1a8e497e3dc07173d5c9da597c491bd352be)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java	(.../UserOrgAction.java)	(revision c2cee57555afd519f8592f17626a21f41499fcac)
@@ -43,9 +43,12 @@
 import org.lamsfoundation.lams.usermanagement.OrganisationType;
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.lamsfoundation.lams.util.MessageService;
 import org.lamsfoundation.lams.util.WebUtil;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -99,18 +102,18 @@
 		request.setAttribute("orgType",orgType);
 				
 		// get list of users in org
-		User user = (User)getService().getUserByLogin(request.getRemoteUser());
+		Integer userId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
 		List users = new ArrayList<User>();
 		Organisation orgOfCourseAdmin = (orgType.equals(OrganisationType.CLASS_TYPE)) ? parentOrg : organisation;
 		if(request.isUserInRole(Role.SYSADMIN)){
 			users = getService().findAll(User.class);
-		}else if(getService().isUserInRole(user.getUserId(),orgOfCourseAdmin.getOrganisationId(),Role.COURSE_ADMIN)){
+		}else if(getService().isUserInRole(userId,orgOfCourseAdmin.getOrganisationId(),Role.COURSE_ADMIN)){
 			if(orgOfCourseAdmin.getCourseAdminCanAddNewUsers()){
 				if(orgOfCourseAdmin.getCourseAdminCanBrowseAllUsers()){
 					users = getService().findAll(User.class);
-				}else if(orgType.equals(new Integer(OrganisationType.CLASS_TYPE))){
+				}else if(orgType.equals(OrganisationType.CLASS_TYPE)){
 					users = getService().getUsersFromOrganisation(parentOrg.getOrganisationId());
-				}else if(orgType.equals(new Integer(OrganisationType.COURSE_TYPE))){
+				}else if(orgType.equals(OrganisationType.COURSE_TYPE)){
 					users = getService().getUsersFromOrganisation(orgId);
 				}
 			}else{
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgSaveAction.java
===================================================================
diff -u -r4d93a85aeb9998c7d81d99a82f626ff51eab4061 -rc2cee57555afd519f8592f17626a21f41499fcac
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgSaveAction.java	(.../UserOrgSaveAction.java)	(revision 4d93a85aeb9998c7d81d99a82f626ff51eab4061)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgSaveAction.java	(.../UserOrgSaveAction.java)	(revision c2cee57555afd519f8592f17626a21f41499fcac)
@@ -40,10 +40,10 @@
 import org.apache.struts.action.ActionMapping;
 import org.apache.struts.action.DynaActionForm;
 import org.lamsfoundation.lams.usermanagement.Organisation;
+import org.lamsfoundation.lams.usermanagement.OrganisationType;
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.UserOrganisation;
-import org.lamsfoundation.lams.usermanagement.UserOrganisationRole;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
@@ -72,7 +72,9 @@
 
 	private static Logger log = Logger.getLogger(UserOrgSaveAction.class);
 	private static IUserManagementService service;
+	private List<Role> rolelist;
 	
+	@SuppressWarnings("unchecked")
 	public ActionForward execute(ActionMapping mapping,
             ActionForm form,
             HttpServletRequest request,
@@ -137,18 +139,36 @@
 		if(newUserOrganisations.isEmpty()){
 			return mapping.findForward("userlist");
 		}else{  // send user to screen where they can assign roles for the newly added users
-			List roles = getService().getRolesForOrgType(organisation.getOrganisationType(),false);
-			request.setAttribute("roles",roles);
+			request.setAttribute("roles",filterRoles(rolelist,false, organisation.getOrganisationType()));
 			request.setAttribute("newUserOrganisations",newUserOrganisations);
 			request.setAttribute("orgId",orgId);
 			return mapping.findForward("userorgrole");
 		}
 	}
 	
+	private List<Role> filterRoles(List<Role> rolelist, Boolean isSysadmin, OrganisationType orgType){
+		List<Role> allRoles = new ArrayList<Role>();
+		allRoles.addAll(rolelist);
+		Role role = new Role();
+		if(!isSysadmin) {
+			role.setRoleId(Role.ROLE_SYSADMIN);
+			allRoles.remove(role);
+		}
+		if(orgType.getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) {
+			role.setRoleId(Role.ROLE_COURSE_ADMIN);
+			allRoles.remove(role);
+			role.setRoleId(Role.ROLE_COURSE_MANAGER);
+			allRoles.remove(role);
+		}
+		return allRoles;
+	}
+	
+	@SuppressWarnings("unchecked")
 	private IUserManagementService getService(){
 		if(service==null){
 			WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet().getServletContext());
 			service = (IUserManagementService) ctx.getBean("userManagementServiceTarget");
+			rolelist = getService().findAll(Role.class);
 		}
 		return service;
 	}
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserSaveAction.java
===================================================================
diff -u -rcc77d96c1c7fb5185915fc4e877cbd02f357364b -rc2cee57555afd519f8592f17626a21f41499fcac
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserSaveAction.java	(.../UserSaveAction.java)	(revision cc77d96c1c7fb5185915fc4e877cbd02f357364b)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserSaveAction.java	(.../UserSaveAction.java)	(revision c2cee57555afd519f8592f17626a21f41499fcac)
@@ -26,15 +26,14 @@
 
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.Date;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.beanutils.BeanUtils;
 import org.apache.log4j.Logger;
@@ -60,206 +59,195 @@
 
 /**
  * @author Jun-Dir Liew
- *
+ * 
  * Created at 12:35:38 on 14/06/2006
  */
 
 /**
  * struts doclets
  * 
- * @struts:action path="/usersave"
- *                name="UserForm"
- *                input=".user"
- *                scope="request"
+ * @struts:action path="/usersave" name="UserForm" input=".user" scope="request"
  *                validate="false"
- *
- * @struts:action-forward name="user"
- *                        path=".user"                
- * @struts:action-forward name="userlist"
- *                        path="/usermanage.do"
+ * 
+ * @struts:action-forward name="user" path=".user"
+ * @struts:action-forward name="userlist" path="/usermanage.do"
  */
 public class UserSaveAction extends Action {
 
 	private static Logger log = Logger.getLogger(UserSaveAction.class);
+
 	private static IUserManagementService service;
-	
-	public ActionForward execute(ActionMapping mapping,
-            ActionForm form,
-            HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-		DynaActionForm userForm = (DynaActionForm)form;
+
+	@SuppressWarnings("unchecked")
+	public ActionForward execute(ActionMapping mapping, ActionForm form,
+			HttpServletRequest request, HttpServletResponse response)
+			throws Exception {
+
+		DynaActionForm userForm = (DynaActionForm) form;
 		Boolean edit = false;
 		Boolean passwordChanged = true;
-		Integer orgId = (Integer)userForm.get("orgId");
+
+		Integer orgId = (Integer) userForm.get("orgId");
 		
-		if(isCancelled(request)){
-			request.setAttribute("org",orgId);
+		if (isCancelled(request)) {
+			request.setAttribute("org", orgId);
 			return mapping.findForward("userlist");
 		}
-		
-		Integer userId = (Integer)userForm.get("userId");
-		log.debug("got userId: "+userId);
-		if(userId!=0) edit = true;
-		
+
+		Integer userId = (Integer) userForm.get("userId");
+		log.debug("got userId: " + userId);
+
+		if (userId != 0)
+			edit = true;
+
 		ActionMessages errors = new ActionMessages();
-		if((userForm.get("login")==null)||(((String)userForm.getString("login").trim()).length()==0)){
-			errors.add("login",new ActionMessage("error.login.required"));
+		if ((userForm.get("login") == null)
+				|| (userForm.getString("login").trim().length() == 0)) {
+			errors.add("login", new ActionMessage("error.login.required"));
 		}
-		if(!userForm.get("password").equals(userForm.get("password2"))){
-			errors.add("password",new ActionMessage("error.newpassword.mismatch"));
+		if (!userForm.get("password").equals(userForm.get("password2"))) {
+			errors.add("password", new ActionMessage(
+					"error.newpassword.mismatch"));
 		}
-		if((userForm.get("password")==null)||(((String)userForm.getString("password").trim()).length()==0)){
+		if ((userForm.get("password") == null)
+				|| (((String) userForm.getString("password").trim()).length() == 0)) {
 			passwordChanged = false;
-			if(!edit) errors.add("password",new ActionMessage("error.password.required"));
+			if (!edit)
+				errors.add("password", new ActionMessage(
+						"error.password.required"));
 		}
-		
-		SupportedLocale locale = (SupportedLocale)getService().findById(SupportedLocale.class,(Byte)userForm.get("localeId"));
-		log.debug("locale: "+locale);
-		
-		if(errors.isEmpty()){
+
+		SupportedLocale locale = (SupportedLocale) request.getSession()
+				.getAttribute("locale");
+		log.debug("locale: " + locale);
+
+		if (errors.isEmpty()) {
+			List<Role> allRoles = (List<Role>)request.getSession().getAttribute("rolelist");
 			User user;
-			String[] roles = (String[])userForm.get("roles");
-			if(edit){    // edit user
-				log.debug("editing userId: "+userId);
-				user = (User)getService().findById(User.class,userId);
-				if(passwordChanged) {
-					userForm.set("password",HashUtil.sha1((String)userForm.get("password")));
-				}else{
-					userForm.set("password",user.getPassword());
+			String[] roles = (String[]) userForm.get("roles");
+			if (edit) { // edit user
+				log.debug("editing userId: " + userId);
+				user = (User) request.getSession().getAttribute("user");
+				if (passwordChanged) {
+					userForm.set("password", HashUtil.sha1((String) userForm.get("password")));
+				} else {
+					userForm.set("password", user.getPassword());
 				}
-				BeanUtils.copyProperties(user,userForm);
+				BeanUtils.copyProperties(user, userForm);
 				user.setLocaleCountry(locale.getCountryIsoCode());
 				user.setLocaleLanguage(locale.getLanguageIsoCode());
-				log.debug("country: "+user.getLocaleCountry());
-				log.debug("language: "+user.getLocaleLanguage());
-				
-				List rolesList = Arrays.asList(roles);
-				log.debug("rolesList.size: "+rolesList.size());
-				Set uos = user.getUserOrganisations();
-				Iterator iter = uos.iterator();
-				while(iter.hasNext()){
-				    UserOrganisation uo = (UserOrganisation)iter.next();
-				    if(uo.getOrganisation().getOrganisationId().equals(orgId)){
-				    	Set uors = uo.getUserOrganisationRoles();
-				        for(int i=0; i<roles.length; i++){    // add new roles set by user
-				        	Integer roleId = Integer.valueOf(roles[i]);
-				        	Boolean alreadyHasRole = false;
-				        	Iterator iter2 = uors.iterator();
-				        	while(iter2.hasNext()){
-				        		UserOrganisationRole uor = (UserOrganisationRole)iter2.next();
-				        		if(uor.getRole().getRoleId().equals(roleId)){
-				        			alreadyHasRole = true;
-				        			break;  // already found uor that matches this role
-				        		}
-				        	}
-				        	if(!alreadyHasRole){    // add new role
-				        		Role currentRole = (Role)getService().findById(Role.class,roleId);
-					            log.debug("setting role: "+currentRole);
-					            UserOrganisationRole newUor = new UserOrganisationRole(uo,currentRole);
-					            getService().save(newUor);
-					            uors.add(newUor);
-				        	}
-				        }
-				        Iterator iter3 = uors.iterator();
-				        while(iter3.hasNext()){
-				        	UserOrganisationRole uor = (UserOrganisationRole)iter3.next();
-				        	Integer currentRoleId = uor.getRole().getRoleId();
-				        	//log.debug("currentRoleId: "+currentRoleId.toString());
-				        	//log.debug("rolesList: "+rolesList);
-				        	if(rolesList.indexOf(currentRoleId.toString())<0){    // remove roles not set by user
-				        		log.debug("removing role: "+currentRoleId);
-				        		iter3.remove();
-				        		//log.debug("num roles: "+uors.size());
-				        	}
-				        }
-				        uo.setUserOrganisationRoles(uors);
-		        		uos.add(uo);
-		        		user.setUserOrganisations(uos);
-				        break;  // already found uo that matches this org
-				    }
+				log.debug("country: " + user.getLocaleCountry());
+				log.debug("language: " + user.getLocaleLanguage());
+				List<String> rolesList = Arrays.asList(roles);
+				List<String> rolesCopy = new ArrayList<String>();
+				rolesCopy.addAll(rolesList);
+				log.debug("rolesList.size: " + rolesList.size());
+				UserOrganisation uo = (UserOrganisation) request.getSession().getAttribute("uo");
+				Set<UserOrganisationRole> uors = (Set<UserOrganisationRole>) request.getSession().getAttribute("uors");
+				Set<UserOrganisationRole> uorsCopy = new HashSet<UserOrganisationRole>();
+				uorsCopy.addAll(uors);
+				//remove the common part from the rolesList and uors
+				//to get the uors to remove and the roles to add 
+				for(String roleId : rolesList) { 
+					for(UserOrganisationRole uor : uors) {
+						if (uor.getRole().getRoleId().toString().equals(roleId)) {
+							rolesCopy.remove(roleId);
+							uorsCopy.remove(uor);
+						}
+					}
 				}
+				uors.removeAll(uorsCopy);
+				for(String roleId : rolesCopy){
+					UserOrganisationRole uor = new UserOrganisationRole(uo, findRole(allRoles, roleId));
+					getService().save(uor);
+					uors.add(uor);
+				}
+				uo.setUserOrganisationRoles(uors);
 				getService().save(user);
-
-			}else{    // create user
+			} else { // create user
 				log.debug("creating user...");
 				user = new User();
-				userForm.set("password",HashUtil.sha1((String)userForm.get("password")));
-				BeanUtils.copyProperties(user,userForm);
-				log.debug("new login: "+user.getLogin());
-				if(getService().getUserByLogin(user.getLogin())!=null){
-					errors.add("loginUnique",new ActionMessage("error.login.unique"));
+				userForm.set("password", HashUtil.sha1((String) userForm
+						.get("password")));
+				BeanUtils.copyProperties(user, userForm);
+				log.debug("new login: " + user.getLogin());
+				if (getService().getUserByLogin(user.getLogin()) != null) {
+					errors.add("loginUnique", new ActionMessage("error.login.unique"));
 				}
-				if(errors.isEmpty()){
+				if (errors.isEmpty()) {
 					user.setDisabledFlag(false);
 					user.setCreateDate(new Date());
-					user.setAuthenticationMethod((AuthenticationMethod)getService().findByProperty(AuthenticationMethod.class,"authenticationMethodName","LAMS-Database").get(0));
+					user.setAuthenticationMethod((AuthenticationMethod) getService().findByProperty(AuthenticationMethod.class,
+							"authenticationMethodName","LAMS-Database").get(0));
 					user.setUserId(null);
 					user.setLocaleCountry(locale.getCountryIsoCode());
 					user.setLocaleLanguage(locale.getLanguageIsoCode());
 					getService().save(user);
-					log.debug("user: "+user.toString());
-					HashSet uos = new HashSet();
-					ArrayList<Integer> orgs = new ArrayList<Integer>();
-					orgs.add(orgId);
-					log.debug("organisation: "+orgId);
-                    // if user is to be added to a class, make user a member of parent course also
-					Organisation org = (Organisation)getService().findById(Organisation.class,orgId);
-					if(org.getOrganisationType().getOrganisationTypeId().equals(new Integer(OrganisationType.CLASS_TYPE))){
-						Integer courseOrgId = org.getParentOrganisation().getOrganisationId();
-						orgs.add(courseOrgId);
-						log.debug("organisation: "+courseOrgId);
+					log.debug("user: " + user.toString());
+					List<Organisation> orgs = new ArrayList<Organisation>();
+					// if user is to be added to a class, make user a member of
+					// parent course also
+					Organisation org = (Organisation)request.getSession().getAttribute("org");
+					orgs.add(org);
+					OrganisationType orgType = (OrganisationType)request.getSession().getAttribute("orgType");
+					if (orgType.getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) {
+						Organisation parentOrg = (Organisation)request.getSession().getAttribute("parentOrg");
+						orgs.add(parentOrg);
 					}
-					for(Integer id:orgs){
-						UserOrganisation uo = new UserOrganisation(user, (Organisation)getService().findById(Organisation.class,id));
-						uos.add(uo);
+					for (Organisation o : orgs) {
+						UserOrganisation uo = new UserOrganisation(user,o);
 						getService().save(uo);
-						log.debug("userOrganisation: "+uo);
-						for(int i=0; i<roles.length; i++){    // add new roles set by user
-				        	Integer roleId = Integer.valueOf(roles[i]);
-				            Role role = (Role)getService().findById(Role.class,roleId);
-					        UserOrganisationRole uor = new UserOrganisationRole(uo,role);
-					        getService().save(uor);
-					        log.debug("role: "+role);
-				        }
+						log.debug("created UserOrganisation: " + uo.getUserOrganisationId());
+						for (String roleId : roles) { 
+							UserOrganisationRole uor = new UserOrganisationRole(uo, findRole(allRoles,roleId));
+							getService().save(uor);
+							uo.addUserOrganisationRole(uor);
+						}
+						user.addUserOrganisation(uo);
 					}
-					user.setUserOrganisations(uos);
-					//getService().save(user);
 				}
 			}
 		}
-		
-		if(errors.isEmpty()){
-			request.setAttribute("org",orgId);
-			log.debug("orgId: "+orgId);
+
+		if (errors.isEmpty()) {
+			request.setAttribute("org", orgId);
+			log.debug("orgId: " + orgId);
+			clearSessionAttributes(request.getSession());
 			return mapping.findForward("userlist");
-		}else{
-			if(!edit){  // error screen on create user shouldn't show empty roles
-			    userForm.set("userId",null);
+		} else {
+			if (!edit) { // error screen on create user shouldn't show empty roles
+				userForm.set("userId", null);
 			}
-		    saveErrors(request,errors);
-		    Organisation org = (Organisation)getService().findById(Organisation.class,orgId);
-			Organisation parentOrg = org.getParentOrganisation();
-			if(parentOrg!=null){
-				request.setAttribute("pOrgId",parentOrg.getOrganisationId());
-				request.setAttribute("pOrgName",parentOrg.getName());
-			}
-			request.setAttribute("orgId",orgId);
-			request.setAttribute("orgName",org.getName());
-			List<SupportedLocale> locales = getService().findAll(SupportedLocale.class);
-			Collections.sort(locales);
-			request.setAttribute("locales",locales);
-			List allRoles = getService().findAll(Role.class);
-			Collections.sort(allRoles);
-			request.setAttribute("rolelist",allRoles);
-		    return mapping.findForward("user");
+			saveErrors(request, errors);
+			return mapping.findForward("user");
 		}
 	}
+
 	
-	private IUserManagementService getService(){
-		if(service==null){
-			WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet().getServletContext());
-			service = (IUserManagementService) ctx.getBean("userManagementServiceTarget");
+	private void clearSessionAttributes(HttpSession session) {
+		String[] attributes = {"locales","org","parentOrg","user","orgType","rolelist","uo","uors"};
+		for(String attr : attributes){
+			session.removeAttribute(attr);
 		}
+	}
+
+
+	private Role findRole(List<Role> allRoles, String roleId){
+		for(Role role: allRoles){
+			if(role.getRoleId().toString().equals(roleId))
+				return role;
+		}
+		return null;
+	}
+	
+	private IUserManagementService getService() {
+		if (service == null) {
+			WebApplicationContext ctx = WebApplicationContextUtils
+					.getRequiredWebApplicationContext(getServlet()
+							.getServletContext());
+			service = (IUserManagementService) ctx
+					.getBean("userManagementServiceTarget");
+		}
 		return service;
 	}
 }