Hi Tauren,
You can create a SimplePrincipalCollection manually, but with Shiro's
default clearing behavior, the manually constructed instance must
equal the one created by your Realm during authentication (in the
AuthenticationInfo).
For example:
SimplePrincipalCollection spc = new SimplePrincipalCollection(id, realmName);
//this should be true:
spc.equals(authenticationInfoReturnedFromMyRealm.getPrincipals());
Depending on the cache implementation,
spc.hashCode().equals(authenticationInfoReturnedFromMyRealm.getPrincipals().hashCode())
might have to be true as well.
This is because the AuthorizingRealm's clearCachedAuthorizationInfo
method, by default, uses the PrincipalCollection as the cache key,
i.e. cache.remove(principalCollection).
But you can change this if it doesn't meet your needs. Perhaps you
want the cache key to only be the 'primary principal' - which looks
like your user id in your case - and not the entire
PrincipalCollection. You can override the
getAuthorizationCacheKey(PrincipalCollection) method:
@Override
protected Object getAuthorizationCacheKey(PrincipalCollection pc) {
return principals.getPrimaryPrincipal();
}
Note that this is different than getAuthenticationCacheKey (used
during authentication caching only) - but if used, it can have the
same implementation as getAuthorizationCacheKey as well.
Perhaps Shiro's default implementation should just rely on the primary
principal as the cache key by default. I didn't write it that way in
the beginning because the PC represents the entire identity of the
current Subject, which may or may not be more than one principal. But
for caching, maybe it's best just to use the primary. Please open a
Jira issue if you agree :)
HTH,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Sun, May 5, 2013 at 5:57 PM, Tauren Mills <[email protected]> wrote:
> How do I clear the permission cache for a specific user when an
> administrative user updates properties that affect that user's permissions?
>
> I've been doing this when I want to update the current user's permissions:
> realm.clearCachedAuthorizationInfo(SecurityUtils.getSubject().getPrincipals());
>
> But how can I access the permissions cache of another user? Note that this
> user might be currently active, but they might not as well.
>
> I'm assuming I need to create a SimplePrincipalCollection, but what's the
> best way to do that and where is the best location for that code? I believe
> I need access to the realm name and the user id to do this. I'm thinking of
> adding a method to my realm:
>
> public void clearCachedAuthorizationInfo(User user) {
> Long id = User.getId();
> String realmName = this.getName();
> SimplePrincipalCollection spc = // do something with id and
> realmName
> this.clearCachedAuthorizationInfo(spc);
> }
>
> Thanks,
> Tauren
>
