Thanks for your help!
On Wed, Nov 16, 2011 at 2:05 PM, Les Hazlewood <[email protected]> wrote: > Hi Jason, > > Because of Groovy's ability to blindly traverse an object/property > graph, you should be able to get it from the SecurityManager > reference, e.g.: > > securityManager.sessionManager.sessionDAO > > This traversal will only work if you're using native sessions > (otherwise the runtime SessionManager instance won't have a sessionDAO > property). > > Cheers, > > Les > > On Wed, Nov 16, 2011 at 12:36 PM, Jason Davis <[email protected]> wrote: >> Thanks a lot Les. I have seen your posts on the grails mailing list >> while searching about this. >> Do you know how to get the session dao in grails when using the >> default session setup? >> >> Thanks A lot! >> Jason >> >> On Wed, Nov 16, 2011 at 1:18 PM, Les Hazlewood <[email protected]> wrote: >>> Hi Jason, >>> >>> My brain must be muddy today - your solution is simpler and should >>> work fine. I don't know why I jumped right to the more complicated >>> solution! >>> >>> That should be good enough but you will need to persist the state >>> change back to the data store so invalidated sessions can be cleaned >>> up as necessary. >>> >>> For example, by using the SessionManager's underlying SessionDAO: >>> >>> Collection<Session> activeSessions = sessionDAO.getActiveSessions(); >>> for( Session s : activeSessions ) { >>> s.invalidate(); >>> sessionDAO.update(s); >>> } >>> >>> HTH! >>> >>> Cheers, >>> >>> Les >>> >>> On Wed, Nov 16, 2011 at 10:35 AM, Jason Davis <[email protected]> wrote: >>>> Thanks for the reply! >>>> If I have a list of all sessions can I invalidate() them all and be >>>> done? Or would that not be enough to log them out? >>>> >>>> Thanks! >>>> Jason Davis >>>> >>>> On Wed, Nov 16, 2011 at 11:27 AM, Les Hazlewood <[email protected]> >>>> wrote: >>>>> Hi Jason, >>>>> >>>>> First, this would only be possible if using Shiro's native session >>>>> support. There is no way to do this using the default servlet >>>>> container sessions. >>>>> >>>>> The state of a subject is bound to a thread and/or a Session (if >>>>> they're authenticated and sessions are enabled). >>>>> >>>>> To log out all authenticated subjects you need to: >>>>> >>>>> 1. Clear out the session cache entirely. >>>>> 2. Do either of the following: >>>>> a. Delete all active sessions in the backing Session data store >>>>> (used by the SessionDAO), or >>>>> b. Update all active sessions' stoppedTimestamp to be the current >>>>> time in the backing Session data store. >>>>> >>>>> 1 and 2.a. are the common approaches. 2.b. is only done if you store >>>>> and delete sessions manually from your data store outside of Shiro's >>>>> control. >>>>> >>>>> You could do this if using Shiro's native session management and >>>>> you're using a SessionDAO that talks to a datastore that allows you to >>>>> do bulk updates. >>>>> >>>>> Finally note that 'rememberMe' users will still be remembered as long >>>>> as their rememberMe cookie exists. If you delete any remembered >>>>> Subject's session, they will still be remembered on the next request >>>>> (and likely a new session will be created to store the rememberMe >>>>> value). They just won't be authenticated. >>>>> >>>>> HTH, >>>>> >>>>> Les >>>>> >>>>> On Wed, Nov 16, 2011 at 9:25 AM, Jason Davis <[email protected]> >>>>> wrote: >>>>>> Hello, >>>>>> How can I log out all subjects? I can only find how to get the >>>>>> 'active' subject. I'd like to get a list of them all, or just be able >>>>>> to log them all out. Is this possible? >>>>>> >>>>>> Thanks, >>>>>> Jason >
