Hi Mike, I'm assuming you're using Shiro's native sessions, since Shiro can't reasonably control how the Servlet container manages sessions.
Just calling subject.logout() will automatically invalidate the Subject's session. Shiro's default behavior is to delete any invalid or stopped session automatically to prevent orphans (this behavior can be disabled if you clean up your session store by some other process). However, the ability to look up a session based on a subject's identity/principals in order to invalidate, delete or remove it from a cache does not exist by default. The current reason is that the ability to do so is very specific to the session data store mechanism - e.g. an RDBMS query (select * from sessions s where s.username = ?) or an enterprise cache (index on some session field). Because we don't know what datastore you're using for sessions, we don't provide this lookup capability out of the box. However you're not the first person to hint at needing this capability, and I think we could provide a reasonable API abstraction to enable this behavior cleanly. I've done it myself on my own projects and so I have good context to make this work from an API perspective. SHIRO-117 [1] is related to this, but if you have any other needs, please either add to that issue or add a new one. [1] https://issues.apache.org/jira/browse/SHIRO-117 Cheers -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com On Fri, Oct 1, 2010 at 10:05 AM, Mike K <[email protected]> wrote: > > Is there a clean way to get a handle to a session cache to invalidate a > session when a user is deleted? > There is a hook in AuthorizingRealm that lets one invalidate a Authorization > Cache entries.
