Authentication Caching will be in 1.2 (its already in the trunk). As for clearing the cache on logout, I ran into this the other day. I was logging clients out programmatically, which I realized was bad for a bunch of reasons (for example the client still thinks they are authenticated)
Why are you logging users out? Instead of just keeping the session around ? On Fri, May 13, 2011 at 3:26 PM, juminoz <[email protected]> wrote: > [Version: Shiro 1.1.0] > [Cache: Coherence 3.7.1] > > Is this an intended affect? I would have thought that the information just > stays in the cache so that it doesn't have to go to the source again unless > the cache is invalidated. > > Basically, I have a scenario where multiple clients will login using the > same username/password (think DB user). The permission is currently used to > manage collections of data so user can access data it's permitted to. Let's > say if a client logged out, the information is gone from the cache. This > means that other client using the same username will have to fetch the data > from the source again. > > Is there currently a configuration to check if there are sessions with the > same username left before wiping out the cache? Or maybe simply disable > removal of user permission from the cache until revalidated. > > Also, it seems that Shiro doesn't cache AuthenticationInfo object. Is there > a way to configure it to do so? Authentication is mainly done at connection > time (i.e. client connecting to service provider), but it maybe useful to > actually cache the information as well. A scenario for this is user > impersonation. Even a client can be authenticated at connection time, it > may > have to impersonate a user (maybe another client) that is invoking an > operation. This means that each request has to be authenticated again > (think > web service with authentication token in the SOAP header). > Authentication/Authorization will then become a bottleneck if it has to go > back to the source every time. > > Thanks, > Jack > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Authorization-Cache-Removed-when-Logged-Out-tp6360724p6360724.html > Sent from the Shiro User mailing list archive at Nabble.com. >
