Les, Submitted ticket. Original suggestion to use Subject.Builder won't work for expired sessions. Session validation scheduler is executed in separate thread, that doesn't have SecurityManager bound to thread and thus only statically bound SecurityManager works in this case.
Seems like I'm left with custom fetching from session attributes :(. Alexandr Vasilenko 2012/4/12 Les Hazlewood <[email protected]> > No particular reason - please open a Jira issue and we can fix it as > soon as possible. > > Thanks! > > -- > Les Hazlewood > CTO, Stormpath | http://www.stormpath.com | 888.391.5282 > twitter: @lhazlewood | http://twitter.com/lhazlewood > blog: http://leshazlewood.com > stormpath blog: http://www.stormpath.com/blog/ > > On Thu, Apr 12, 2012 at 1:02 PM, Alex Vasilenko <[email protected]> > wrote: > > Found out why there are no principals in SessionListener#onStop(): On > > explicit logout: DefaultSubjectDAO#removeFromSession(Subject) removes all > > principals before SessionListener#onStop() is called. > > As I understand on logout session will be destroyed in any case. What are > > the reasons to explicitly clear principals and authenticated flag from > > session in this case? > > > > Thanks, > > > > Alexandr Vasilenko > > > > 2012/4/6 Alex Vasilenko <[email protected]> > >> > >> Les, > >> > >> Then I have problems, #onStop() doesn't have principals, even if user is > >> known. #onStart() doesn't have principals as well, but I think it's > because > >> session is created earlier than principals are associated with it. > Correct > >> me if I'm wrong. > >> > >> Thanks, > >> > >> Alexandr Vasilenko > >> > >> 2012/4/6 Les Hazlewood <[email protected]> > >>> > >>> Hi Alex, > >>> > >>> Yes, that's possible. A session can be created and stopped before it > >>> is associated with an identity - for example, if the session was > >>> created by a guest (user, robot, etc), and that guest never logged in > >>> and their session expired. > >>> > >>> For sessions that have been associated with a known user (e.g. via > >>> login or rememberMe), you would be able to obtain the identity > >>> (principals). > >>> > >>> Just be aware that the onStop method is called before the session (and > >>> its associated principals) are removed. You can perform 'read' > >>> operations only (get the principals, check the last access time, etc) > >>> during this time. You can't perform any 'write' operations (add > >>> attributes, etc). > >>> > >>> HTH, > >>> > >>> Les Hazlewood > >>> CTO, Stormpath | http://www.stormpath.com | 888.391.5282 > >>> twitter: @lhazlewood | http://twitter.com/lhazlewood > >>> blog: http://leshazlewood.com > >>> stormpath blog: http://www.stormpath.com/blog/ > >>> > >>> On Fri, Apr 6, 2012 at 10:46 AM, Alex Vasilenko < > [email protected]> > >>> wrote: > >>> > Les, > >>> > > >>> > Is it possible that there won't be principals on user's logout in > >>> > SessionListener#onStop()? > >>> > > >>> > Alexandr Vasilenko > >>> > > >>> > > >>> > 2012/4/6 Alex Vasilenko <[email protected]> > >>> >> > >>> >> Simple and powerful :). Thanks, Les. > >>> >> > >>> >> Alexandr Vasilenko > >>> >> > >>> >> > >>> >> 2012/4/6 Les Hazlewood <[email protected]> > >>> >>> > >>> >>> Hi Alex, > >>> >>> > >>> >>> The easiest way to do this is to construct the Subject instance > >>> >>> associated with the session given to the listener: > >>> >>> > >>> >>> Subject owningSubject = new > >>> >>> Subject.Builder().session(theSession).buildSubject(); > >>> >>> > >>> >>> You can interact with the 'owningSubject' instance to acquire what > >>> >>> you > >>> >>> need (e.g. owningSubject.getPrincipal()). > >>> >>> > >>> >>> This way, you don't need to know about the implementation details > of > >>> >>> how to acquire the principals (i.e. what session key to use, etc). > >>> >>> This is good because those implementation details might change over > >>> >>> time, but your code based on the Subject.Builder should always work > >>> >>> the same way. > >>> >>> > >>> >>> Cheers, > >>> >>> > >>> >>> Les Hazlewood > >>> >>> CTO, Stormpath | http://www.stormpath.com | 888.391.5282 > >>> >>> twitter: @lhazlewood | http://twitter.com/lhazlewood > >>> >>> blog: http://leshazlewood.com > >>> >>> stormpath blog: http://www.stormpath.com/blog/ > >>> >>> > >>> >>> On Thu, Apr 5, 2012 at 12:34 PM, Alex Vasilenko > >>> >>> <[email protected]> > >>> >>> wrote: > >>> >>> > Hello, > >>> >>> > > >>> >>> > Is there any simple solution to retrieve user's principals in > >>> >>> > SessionListener? As far as I understand it's abstracted from > >>> >>> > subject > >>> >>> > and > >>> >>> > there's no way to get it simply w/o hacking into shiro code. > >>> >>> > > >>> >>> > Why do I need this: > >>> >>> > We have pretty common use-case: show users, who are online. With > >>> >>> > SessionListener it would be quite easy - #onStart() mark user as > >>> >>> > online, > >>> >>> > #onExpiration() and #onStop() - as offline. > >>> >>> > > >>> >>> > Thanks, > >>> >>> > Alexandr Vasilenko > >> > >> > > >
