[Version: Shiro 1.1.0] [Cache: Coherence 3.7.1] Is this an intended affect? I would have thought that the information just stays in the cache so that it doesn't have to go to the source again unless the cache is invalidated.
Basically, I have a scenario where multiple clients will login using the same username/password (think DB user). The permission is currently used to manage collections of data so user can access data it's permitted to. Let's say if a client logged out, the information is gone from the cache. This means that other client using the same username will have to fetch the data from the source again. Is there currently a configuration to check if there are sessions with the same username left before wiping out the cache? Or maybe simply disable removal of user permission from the cache until revalidated. Also, it seems that Shiro doesn't cache AuthenticationInfo object. Is there a way to configure it to do so? Authentication is mainly done at connection time (i.e. client connecting to service provider), but it maybe useful to actually cache the information as well. A scenario for this is user impersonation. Even a client can be authenticated at connection time, it may have to impersonate a user (maybe another client) that is invoking an operation. This means that each request has to be authenticated again (think web service with authentication token in the SOAP header). Authentication/Authorization will then become a bottleneck if it has to go back to the source every time. Thanks, Jack -- View this message in context: http://shiro-user.582556.n2.nabble.com/Authorization-Cache-Removed-when-Logged-Out-tp6360724p6360724.html Sent from the Shiro User mailing list archive at Nabble.com.
