It depends. I use jwt tokens. No chance here to invalidate them, but they get invalidate pretty quickly anyway.
But you can use any *distributed* session storage you like: a DBMS, a memory grid like hazelcast, or create your own local storage and sync them via jGroups, or even EJBs. It doesn't matter as long as all of the nodes use the same single or synchronously updated storage. You can then iterate over all sessions in one of the nodes or via a sidecar container/app and invalidate them. Just make sure you enter the session storage class in the shiro.ini. HTH Ben On Thu, 5 Nov 2020, 20:47 Andreas Reichel, <[email protected]> wrote: > Good evening Alex, > > in my understanding this is not possible: Shiro works on the client side > and provides an abstraction of authenticating/authorizing a client against > a server. > But you look for a registry of sessions on the server side. That should > not be Shiro's concern. > > Best regards > Andreas > > On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote: > > Hi all, > > Could anyone say, how I can to get all logged in subjects. For example, > Subjects > have roles, roles have permissions. If in application a role were modified > dynamically > (for example in DB), I want to get all logged in subjects, iterate them, > find those, > who have this role, collect their principals and call in my realm method > clearCachedAuthorizationInfo(PrincipalCollection principals). > > > -- > Best regards, Alex Orlov > > >
