shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: log out all subjects
Date Wed, 16 Nov 2011 21:05:53 GMT
Hi Jason,

Because of Groovy's ability to blindly traverse an object/property
graph, you should be able to get it from the SecurityManager
reference, e.g.:

securityManager.sessionManager.sessionDAO

This traversal will only work if you're using native sessions
(otherwise the runtime SessionManager instance won't have a sessionDAO
property).

Cheers,

Les

On Wed, Nov 16, 2011 at 12:36 PM, Jason Davis <jdavis@openactive.org> wrote:
> Thanks a lot Les. I have seen your posts on the grails mailing list
> while searching about this.
> Do you know how to get the session dao in grails when using the
> default session setup?
>
> Thanks A lot!
> Jason
>
> On Wed, Nov 16, 2011 at 1:18 PM, Les Hazlewood <lhazlewood@apache.org> wrote:
>> Hi Jason,
>>
>> My brain must be muddy today - your solution is simpler and should
>> work fine.  I don't know why I jumped right to the more complicated
>> solution!
>>
>> That should be good enough but you will need to persist the state
>> change back to the data store so invalidated sessions can be cleaned
>> up as necessary.
>>
>> For example, by using the SessionManager's underlying SessionDAO:
>>
>> Collection<Session> activeSessions = sessionDAO.getActiveSessions();
>> for( Session s : activeSessions ) {
>>    s.invalidate();
>>    sessionDAO.update(s);
>> }
>>
>> HTH!
>>
>> Cheers,
>>
>> Les
>>
>> On Wed, Nov 16, 2011 at 10:35 AM, Jason Davis <jdavis@openactive.org> wrote:
>>> Thanks for the reply!
>>> If I have a list of all sessions can I invalidate() them all and be
>>> done? Or would that not be enough to log them out?
>>>
>>> Thanks!
>>> Jason Davis
>>>
>>> On Wed, Nov 16, 2011 at 11:27 AM, Les Hazlewood <lhazlewood@apache.org>
wrote:
>>>> Hi Jason,
>>>>
>>>> First, this would only be possible if using Shiro's native session
>>>> support.  There is no way to do this using the default servlet
>>>> container sessions.
>>>>
>>>> The state of a subject is bound to a thread and/or a Session (if
>>>> they're authenticated and sessions are enabled).
>>>>
>>>> To log out all authenticated subjects you need to:
>>>>
>>>> 1.  Clear out the session cache entirely.
>>>> 2.  Do either of the following:
>>>>    a.  Delete all active sessions in the backing Session data store
>>>> (used by the SessionDAO), or
>>>>    b.  Update all active sessions' stoppedTimestamp to be the current
>>>> time in the backing Session data store.
>>>>
>>>> 1 and 2.a. are the common approaches.  2.b. is only done if you store
>>>> and delete sessions manually from your data store outside of Shiro's
>>>> control.
>>>>
>>>> You could do this if using Shiro's native session management and
>>>> you're using a SessionDAO that talks to a datastore that allows you to
>>>> do bulk updates.
>>>>
>>>> Finally note that 'rememberMe' users will still be remembered as long
>>>> as their rememberMe cookie exists.  If you delete any remembered
>>>> Subject's session, they will still be remembered on the next request
>>>> (and likely a new session will be created to store the rememberMe
>>>> value).  They just won't be authenticated.
>>>>
>>>> HTH,
>>>>
>>>> Les
>>>>
>>>> On Wed, Nov 16, 2011 at 9:25 AM, Jason Davis <jdavis@openactive.org>
wrote:
>>>>> Hello,
>>>>>  How can I log out all subjects? I can only find how to get the
>>>>> 'active' subject. I'd like to get a list of them all, or just be able
>>>>> to log them all out. Is this possible?
>>>>>
>>>>> Thanks,
>>>>> Jason

Mime
View raw message