Hi Manoj,
I'm not sure I understand what you're suggesting on this. I think the cache
manager behaves as you've described out of the box since I'm using the built
in ehcache cache manager that Shiro provides out of the box. I.e. It
support multiple clients by virtue of the fact that the cache manager
implements
public final <K, V> Cache<K, V> getCache(String name) throws
CacheException;So this implies that you can create named caches, one for
each client. And I've set up my web app to use it according to Shiro's
guidelines (using INI configuration parameters).
If I'm not mistaken, all that is required is that I get the instance of the
cache manager, and update the cache by removing the entry for the current
Subject.
Does this make sense to you?
Thanks!
James
----- Original Message -----
From: "Manoj Khangaonkar" <[email protected]>
To: <[email protected]>
Sent: Wednesday, December 14, 2011 2:17 PM
Subject: Re: How to force reauthorization.
Hi James,
That should work. But clearly is less than elegant.
To do better Architecturally, I would look at the cache as structure
that can have many clients, of which shiro is one client
and the DAO is another. Just like a database where multiple clients
can insert/update/delete rows.
Manoj
On Wed, Dec 14, 2011 at 8:24 AM, James Whetstone
<[email protected]> wrote:
Hi Manoj,
I should have seen this :-) . So I'm assuming that when I obtain my
security manager instance I should do it by casting the result like this:
CacheSecurityManager mgr = (CacheSecurityManager)
SecurityUtils.getSecurityManager();
Since I've configured the system to use a cache manager, this should work,
right?
Thanks!
James
----- Original Message ----- From: "Manoj Khangaonkar"
<[email protected]>
To: <[email protected]>
Sent: Wednesday, December 14, 2011 7:12 AM
Subject: Re: How to force reauthorization.
James,
SecurityManager or more specifically CacheSecurityManager does have
get/set methods for the cacheManager.
On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone
<[email protected]> wrote:
Hi Manoj,
Thanks for your help on this. So I need some direction with regards to
how
to access and use the cache.
I've configured by webapp with the following ini snippet:
cassandraRealm = com.structuredcode.web.MyRealm
securityManager.realms = $cassandraRealm
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
So in my servlet, I'm upding the permissions using my DAO, as you've
desribed, but at that point, I don't know how to obtain my cache manager
instance. I've looked through the API documentation for the
SecurityManager and Subject classes thinking I could obtain the cache
manager through of these objects, but Idon't see an API call for this.
What am I missing?
Thank you!
James
----- Original Message ----- From: "Manoj Khangaonkar"
<[email protected]>
To: <[email protected]>
Sent: Tuesday, December 13, 2011 9:36 PM
Subject: Re: How to force reauthorization.
Hi James,
You don'nt need to do this using the REALM.
The DAO that writes the permission to database is outside the scope of
Shiro. After writing to database,
this DAO can either update the cache or evict the item from the cache.
Manoj
On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
<[email protected]> wrote:
That makes sense. But I'm unclear no how to obtain an instance of my
realm
implementation (which extends AuthorizingRealm) because I don't know how
the
realm manages the cache.
In other words, do I need to make my realm a singleton? Or is it ok to
just
create a new one wherever I need to (and the cache automatically uses
the
cache manager I specified in my ini file)?
Also, once I get my instance of the AuthorizingRealm, I'm unclear on how
to
update or clear the AuthorizationInfo for a particular subject because
the
API calls that look like what I need are protected. E.g.
clearCachedAuthorizationInfo() is protected.
I'm thinking I need to create a custom method on my realm that
invalidates
the AuthorizationInfo for the given subject.
Can anyone advise me on how to best implement this given Shiro's design?
---James
----- Original Message ----- From: "Manoj Khangaonkar"
<[email protected]>
To: <[email protected]>
Sent: Tuesday, December 13, 2011 12:07 PM
Subject: Re: How to force reauthorization.
Hi James,
If your AuthorizationInfo is cached, you might need to update the cache
when
new permissions are created for the principal.
Manoj
On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
<[email protected]> wrote:
Hi everyone,
My web app allows users to create resources dynamically through a web
service. When this occurs, the user that is adding the new resource
gets
permission to read the resource.
For example, the use that add the new resource will be given the
following
permission:
"my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
The permissions are stored as strings in the database.
So my problem is that if the user tries to read the resource
immediately
following the creation of the resource, the user is denied because the
user
has already been authorized through my custom realm and the new
permission
hasn't been processed out of the database as would normally occur when
user
authorization occurs.
So I'm wondering if there is a way to force reauthorization, or
otherwise
handle this type of dynamic update to permissions, maybe by updating
the
Subject's authorization info dynamically.
Thank you!
James
--
http://khangaonkar.blogspot.com/
--
http://khangaonkar.blogspot.com/
--
http://khangaonkar.blogspot.com/
--
http://khangaonkar.blogspot.com/
