I'm currently not explicitly storing Subject anywhere since I thought the framework automatically handles both subject and session. I basically assumed that subject stays around until session expires (may never expire).
Now I'm actually a little confused about how's it supposed to work. Brian mentioned in other thread that I should just keep sessions open and never actually log out so that authorization info stays in the cache. http://shiro-user.582556.n2.nabble.com/Authorization-Cache-Removed-when-Logged-Out-td6360724.html If subject is supposed to be short-lived, Brian's suggested approach is not recommended then? My use cases is as follow: Note: Client can be web or non-web. Web client may also invoke non-web client to invoke non-web service. 1) - Client login with at connection time - Client logout when disconnect 2) - Client login with when impersonate a user invoking client to call service (username: <app user>/<end user>) - Client logout after completion of impersonated call Subject in the second use case is short-lived, but long-lived otherwise. My goal is to cache both authentication and authorization info in the cache so that in high-volume transactions scenario, the bottleneck on ACL is minimized. Thanks, Jack -- View this message in context: http://shiro-user.582556.n2.nabble.com/Checking-Session-Timeout-tp6373753p6374925.html Sent from the Shiro User mailing list archive at Nabble.com.
