I think it is much easier if you just call the 'clearCachedAuthorizationInfo(PrincipalCollection)' method on the relevant Realm instance. This will invalidate the authorization cache entry for the corresponding Subject as necessary.
This is the easiest approach when roles/permissions need to change at runtime. HTH, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Dec 15, 2011, at 10:49 AM, James Whetstone wrote: > Hi Manoj, > > I'm not sure I understand what you're suggesting on this. I think the cache > manager behaves as you've described out of the box since I'm using the built > in ehcache cache manager that Shiro provides out of the box. I.e. It support > multiple clients by virtue of the fact that the cache manager implements > public final <K, V> Cache<K, V> getCache(String name) throws > CacheException;So this implies that you can create named caches, one for each > client. And I've set up my web app to use it according to Shiro's guidelines > (using INI configuration parameters). > > If I'm not mistaken, all that is required is that I get the instance of the > cache manager, and update the cache by removing the entry for the current > Subject. > > Does this make sense to you? > > Thanks! > James > > ----- Original Message ----- From: "Manoj Khangaonkar" <[email protected]> > To: <[email protected]> > Sent: Wednesday, December 14, 2011 2:17 PM > Subject: Re: How to force reauthorization. > > > Hi James, > > That should work. But clearly is less than elegant. > > To do better Architecturally, I would look at the cache as structure > that can have many clients, of which shiro is one client > and the DAO is another. Just like a database where multiple clients > can insert/update/delete rows. > > Manoj > > On Wed, Dec 14, 2011 at 8:24 AM, James Whetstone > <[email protected]> wrote: >> Hi Manoj, >> >> I should have seen this :-) . So I'm assuming that when I obtain my >> security manager instance I should do it by casting the result like this: >> >> CacheSecurityManager mgr = (CacheSecurityManager) >> SecurityUtils.getSecurityManager(); >> >> Since I've configured the system to use a cache manager, this should work, >> right? >> >> Thanks! >> >> James >> >> ----- Original Message ----- From: "Manoj Khangaonkar" >> <[email protected]> >> To: <[email protected]> >> Sent: Wednesday, December 14, 2011 7:12 AM >> >> Subject: Re: How to force reauthorization. >> >> >> James, >> >> SecurityManager or more specifically CacheSecurityManager does have >> get/set methods for the cacheManager. >> >> On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone >> <[email protected]> wrote: >>> >>> Hi Manoj, >>> >>> Thanks for your help on this. So I need some direction with regards to how >>> to access and use the cache. >>> >>> I've configured by webapp with the following ini snippet: >>> >>> cassandraRealm = com.structuredcode.web.MyRealm >>> >>> securityManager.realms = $cassandraRealm >>> >>> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager >>> >>> securityManager.cacheManager = $cacheManager >>> >>> So in my servlet, I'm upding the permissions using my DAO, as you've >>> desribed, but at that point, I don't know how to obtain my cache manager >>> instance. I've looked through the API documentation for the >>> SecurityManager and Subject classes thinking I could obtain the cache >>> manager through of these objects, but Idon't see an API call for this. >>> >>> What am I missing? >>> >>> Thank you! >>> >>> James >>> >>> >>> >>> ----- Original Message ----- From: "Manoj Khangaonkar" >>> <[email protected]> >>> To: <[email protected]> >>> Sent: Tuesday, December 13, 2011 9:36 PM >>> >>> Subject: Re: How to force reauthorization. >>> >>> >>> Hi James, >>> >>> You don'nt need to do this using the REALM. >>> >>> The DAO that writes the permission to database is outside the scope of >>> Shiro. After writing to database, >>> this DAO can either update the cache or evict the item from the cache. >>> >>> Manoj >>> >>> On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone >>> <[email protected]> wrote: >>>> >>>> >>>> That makes sense. But I'm unclear no how to obtain an instance of my >>>> realm >>>> implementation (which extends AuthorizingRealm) because I don't know how >>>> the >>>> realm manages the cache. >>>> >>>> In other words, do I need to make my realm a singleton? Or is it ok to >>>> just >>>> create a new one wherever I need to (and the cache automatically uses the >>>> cache manager I specified in my ini file)? >>>> >>>> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how >>>> to >>>> update or clear the AuthorizationInfo for a particular subject because >>>> the >>>> API calls that look like what I need are protected. E.g. >>>> clearCachedAuthorizationInfo() is protected. >>>> >>>> I'm thinking I need to create a custom method on my realm that >>>> invalidates >>>> the AuthorizationInfo for the given subject. >>>> >>>> Can anyone advise me on how to best implement this given Shiro's design? >>>> >>>> ---James >>>> >>>> >>>> >>>> >>>> >>>> ----- Original Message ----- From: "Manoj Khangaonkar" >>>> <[email protected]> >>>> To: <[email protected]> >>>> Sent: Tuesday, December 13, 2011 12:07 PM >>>> Subject: Re: How to force reauthorization. >>>> >>>> >>>> >>>> Hi James, >>>> >>>> If your AuthorizationInfo is cached, you might need to update the cache >>>> when >>>> new permissions are created for the principal. >>>> >>>> Manoj >>>> >>>> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone >>>> <[email protected]> wrote: >>>>> >>>>> >>>>> >>>>> Hi everyone, >>>>> >>>>> My web app allows users to create resources dynamically through a web >>>>> service. When this occurs, the user that is adding the new resource gets >>>>> permission to read the resource. >>>>> >>>>> For example, the use that add the new resource will be given the >>>>> following >>>>> permission: >>>>> "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a". >>>>> The permissions are stored as strings in the database. >>>>> >>>>> So my problem is that if the user tries to read the resource immediately >>>>> following the creation of the resource, the user is denied because the >>>>> user >>>>> has already been authorized through my custom realm and the new >>>>> permission >>>>> hasn't been processed out of the database as would normally occur when >>>>> user >>>>> authorization occurs. >>>>> >>>>> So I'm wondering if there is a way to force reauthorization, or >>>>> otherwise >>>>> handle this type of dynamic update to permissions, maybe by updating the >>>>> Subject's authorization info dynamically. >>>>> >>>>> Thank you! >>>>> James >>>>> >>>> >>>> >>>> >>>> -- >>>> http://khangaonkar.blogspot.com/ >>>> >>> >>> >>> >>> -- >>> http://khangaonkar.blogspot.com/ >>> >> >> >> >> -- >> http://khangaonkar.blogspot.com/ >> > > > > -- > http://khangaonkar.blogspot.com/ >
