Do I understand you right — you are talking about implementing custom SessionDAO
and adding it to session manager?
sessionDAO = com.foo.my.SessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
So, I always can a) get events when subject logs in (create) and logs out
(delete) 2) find currently logged in Subjects?
--
Best regards, Alex Orlov
>Четверг, 5 ноября 2020, 23:12 +03:00 от Benjamin Marwell <[email protected]>:
>
>It depends.
>
>I use jwt tokens. No chance here to invalidate them, but they get invalidate
>pretty quickly anyway.
>
>But you can use any *distributed* session storage you like: a DBMS, a memory
>grid like hazelcast, or create your own local storage and sync them via
>jGroups, or even EJBs. It doesn't matter as long as all of the nodes use the
>same single or synchronously updated storage.
>
>You can then iterate over all sessions in one of the nodes or via a sidecar
>container/app and invalidate them.
>
>Just make sure you enter the session storage class in the shiro.ini.
>
>HTH
>Ben
>On Thu, 5 Nov 2020, 20:47 Andreas Reichel, < [email protected] >
>wrote:
>>Good evening Alex,
>>
>>in my understanding this is not possible: Shiro works on the client side and
>>provides an abstraction of authenticating/authorizing a client against a
>>server.
>>But you look for a registry of sessions on the server side. That should not
>>be Shiro's concern.
>>
>>Best regards
>>Andreas
>>
>>
>>On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
>>>Hi all,
>>>
>>>Could anyone say, how I can to get all logged in subjects. For example,
>>>Subjects
>>>have roles, roles have permissions. If in application a role were modified
>>>dynamically
>>>(for example in DB), I want to get all logged in subjects, iterate them,
>>>find those,
>>>who have this role, collect their principals and call in my realm method
>>>clearCachedAuthorizationInfo(PrincipalCollection principals).
>>>
>>>
>>>--
>>>Best regards, Alex Orlov
>>
