Re: Forced Logout on User ID Locked

Thu, 26 Sep 2013 16:36:53 -0700 

How long is your cache timeout for permission lookups?  If it's relatively
short, you could modify your realm to return zero permissions for a locked
out user.  Then, they may remain logged in but they have no permissions -
and therefore can't do anything.
On Sep 26, 2013 6:32 PM, "Stephen McCants" <[email protected]>
wrote:

> Hello All,
>     I'm working on a new problem and haven't found a good solution.
>     We have the ability to lock a user's account which prevents them from
> logging in.  This is implemented in our custom Realm.  However, if a user
> is already logged in, they can continue to do things until their session
> expires or they logout.
>     We'd like to be able to boot someone out immediately, but I haven't
> been able to find a good way to do this.  My main approach was to modify
> their session, but that seemed to have no effect on their Subject in their
> ThreadContext.
>     Here are some of the things I tried doing to their session:
>
>         SessionDAO sdao = DAOUtils.getFactory().**getSessionDAO(); // Get
> the custom session DAO
>         sdao.getActiveSessions();
>         for (Session s:sessions) {
>                 // Find the session based on the locked user's principal
>                 s.stop();
>                 sdao.update(s);
>         }
>
> Also tried:
>
> s.setAttribute(org.apache.**shiro.subject.support.**DefaultSubjectContext.
> **AUTHENTICATED_SESSION_KEY, false);
>         sdao.update(s);
>
> And:
>         sdao.delete(s);
>
> I also tried building a new subject from the session and logging it out:
>
>         Subject foreignSubject = new Subject.Builder().session(s).**
> buildSubject();
>         foreignSubject.logout();
>
> I think the problem is the real Subject is cached in a ThreadLocal and not
> accessible (unless the person locking the account is locking their own
> account).  The cached Subject doesn't get updated when the session has
> changed.
>     Does anyone have any recommendations or even a good solution to this
> problem?  I'm sure I'm not the first to want to do this.
>     Thanks in advance!
>
>         Sincerely,
>             Stephen McCants
>
> --
> Stephen McCants
> Senior Software Engineer
> Healthcare Control Systems
> 1-877-877-8795 x116
>
>

Reply via email to