You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Alex Orlov <oo...@mail.ru> on 2020/11/05 19:42:41 UTC
How to get all logged in Subjects
Hi all,
Could anyone say, how I can to get all logged in subjects. For example, Subjects
have roles, roles have permissions. If in application a role were modified dynamically
(for example in DB), I want to get all logged in subjects, iterate them, find those,
who have this role, collect their principals and call in my realm method
clearCachedAuthorizationInfo(PrincipalCollection principals).
--
Best regards, Alex Orlov
Re[4]: How to get all logged in Subjects
Posted by Alex Orlov <oo...@mail.ru>.
Thank you all of you. I got the point.
--
Best regards, Alex Orlov
>Четверг, 5 ноября 2020, 23:53 +03:00 от Brian Demers <br...@gmail.com>:
>
>This isn't something Shiro covers directly, but it possible with a little custom code
> You could write a custom SessionDAO, or you could use an existing one, and just access the data store to query what you need. For example, if you used a DB, you could just query the DB. It should be similar with a something like Hazelcast too.
>
>On Thu, Nov 5, 2020 at 3:41 PM Alex Orlov < ooo_saturn7@mail.ru > wrote:
>>Do I understand you right — you are talking about implementing custom SessionDAO
>>and adding it to session manager?
>>
>>sessionDAO = com.foo.my.SessionDAO
>>securityManager.sessionManager.sessionDAO = $sessionDAO
>>
>>So, I always can a) get events when subject logs in (create) and logs out (delete) 2) find currently logged in Subjects?
>>
>>
>>--
>>Best regards, Alex Orlov
>>
>>
>>>Четверг, 5 ноября 2020, 23:12 +03:00 от Benjamin Marwell < bmarwell@apache.org >:
>>>
>>>It depends.
>>>
>>>I use jwt tokens. No chance here to invalidate them, but they get invalidate pretty quickly anyway.
>>>
>>>But you can use any *distributed* session storage you like: a DBMS, a memory grid like hazelcast, or create your own local storage and sync them via jGroups, or even EJBs. It doesn't matter as long as all of the nodes use the same single or synchronously updated storage.
>>>
>>>You can then iterate over all sessions in one of the nodes or via a sidecar container/app and invalidate them.
>>>
>>>Just make sure you enter the session storage class in the shiro.ini.
>>>
>>>HTH
>>>Ben
>>>On Thu, 5 Nov 2020, 20:47 Andreas Reichel, < andreas@manticore-projects.com > wrote:
>>>>Good evening Alex,
>>>>
>>>>in my understanding this is not possible: Shiro works on the client side and provides an abstraction of authenticating/authorizing a client against a server.
>>>>But you look for a registry of sessions on the server side. That should not be Shiro's concern.
>>>>
>>>>Best regards
>>>>Andreas
>>>>
>>>>
>>>>On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
>>>>>Hi all,
>>>>>
>>>>>Could anyone say, how I can to get all logged in subjects. For example, Subjects
>>>>>have roles, roles have permissions. If in application a role were modified dynamically
>>>>>(for example in DB), I want to get all logged in subjects, iterate them, find those,
>>>>>who have this role, collect their principals and call in my realm method
>>>>>clearCachedAuthorizationInfo(PrincipalCollection principals).
>>>>>
>>>>>
>>>>>--
>>>>>Best regards, Alex Orlov
>>>>
>>
Re[6]: How to get all logged in Subjects
Posted by Alex Orlov <oo...@mail.ru>.
So, I suggest:
1)To change API to open access to some top level objects, SessionManager, SessionDAO etc.
(return null if some implementation doesn’t have one of them)
2) To separate SecurityManager from SessionManager (leave only has relation).
As I don’t want to waste my and others’ time, could anyone say — should I open an issue — or
not?
--
Best regards, Alex Orlov
>Суббота, 7 ноября 2020, 16:57 +03:00 от Brian Demers <br...@gmail.com>:
>
>Hey Alex,
>
>Sorry about giving you wrong info before, I forgot about that method.
>
>1.) From the API point of view the SessionDAO is an implementation detail, and getting access to those details would require some casting.
>
>They are not part of the main API because not all SessionManagers would use a DAO, it's possible they are stored some other way.
>
>It's possible to set them in an INI file because that operates on bean properties (getters/setters).
>
>2.) Many of Shiro's implementations make heavy use of Inheritance. The is more obvious if you look at a Realm implementation
>On Fri, Nov 6, 2020 at 5:24 AM Alex Orlov < ooo_saturn7@mail.ru > wrote:
>>I found this wonderful method :
>>
>>SessionDAO#Collection<Session> getActiveSessions()
>>
>>and want to use it. And I have two questions:
>>
>>1) Why does API hide top level objects for which we have interfaces?
>>For example, there is no API SecurityManager.getSessionManager().getSessionDAO()?
>>It seems to be unusual for me. Besides it is possible to set them via ini:
>>
>>
>>sessionManager = com.foo.my.SessionManagerImplementation
>>securityManager.sessionManager = $sessionManage
>>
>>sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>>securityManager.sessionManager = $sessionManager # Configure a SessionDAO and then set it: securityManager.sessionManager.sessionDAO = $sessionDAO
>>
>>Maybe it is necessary to change API?
>>
>>2) Why does SecurityManager extend SessionManager?
>>As I understand SecurityManager has a SessionManager, but not is a SessionManager:
>>
>>public interface SecurityManager extends Authenticator, Authorizer, SessionManager
>>
>>Could anyone explain?
>>
>>
Re[6]: How to get all logged in Subjects
Posted by Alex Orlov <oo...@mail.ru>.
Hi Brian,
Thank you for your answer. On basis of your answer I think there are some design problems in Shiro.
1) As I understand "It's possible to set them in an INI file because that operates on bean properties (getters/setters)."
just means, that yes, SessionManager HAS SessionDAO what we see in INI and when configuration is be loaded
getters/setters are used. However, I say — what we have in INI we must have mirrored in API. However,
it is not mirrored in API. → that is the reason of this question.
2) Inheritance is heavily used not only in Shiro, but in OOP. The question is that is very strance when
one type has two types of relations (has and is) with quite different type. For example, consider the
following code:
class Car implements Engine {
private Engine engine;
}
I am not a guru, but I find such API strange.
3) What about casting — yes, it is possible to make casting and this is what I began to do. But after
some time I stopped and said to myself — "You are doing a stupid thing. The problem is in API"
--
Best regards, Alex Orlov
>Суббота, 7 ноября 2020, 16:57 +03:00 от Brian Demers <br...@gmail.com>:
>
>Hey Alex,
>
>Sorry about giving you wrong info before, I forgot about that method.
>
>1.) From the API point of view the SessionDAO is an implementation detail, and getting access to those details would require some casting.
>
>They are not part of the main API because not all SessionManagers would use a DAO, it's possible they are stored some other way.
>
>It's possible to set them in an INI file because that operates on bean properties (getters/setters).
>
>2.) Many of Shiro's implementations make heavy use of Inheritance. The is more obvious if you look at a Realm implementation
>On Fri, Nov 6, 2020 at 5:24 AM Alex Orlov < ooo_saturn7@mail.ru > wrote:
>>I found this wonderful method :
>>
>>SessionDAO#Collection<Session> getActiveSessions()
>>
>>and want to use it. And I have two questions:
>>
>>1) Why does API hide top level objects for which we have interfaces?
>>For example, there is no API SecurityManager.getSessionManager().getSessionDAO()?
>>It seems to be unusual for me. Besides it is possible to set them via ini:
>>
>>
>>sessionManager = com.foo.my.SessionManagerImplementation
>>securityManager.sessionManager = $sessionManage
>>
>>sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>>securityManager.sessionManager = $sessionManager # Configure a SessionDAO and then set it: securityManager.sessionManager.sessionDAO = $sessionDAO
>>
>>Maybe it is necessary to change API?
>>
>>2) Why does SecurityManager extend SessionManager?
>>As I understand SecurityManager has a SessionManager, but not is a SessionManager:
>>
>>public interface SecurityManager extends Authenticator, Authorizer, SessionManager
>>
>>Could anyone explain?
>>
>>
Re: Re[4]: How to get all logged in Subjects
Posted by Brian Demers <br...@gmail.com>.
Hey Alex,
Sorry about giving you wrong info before, I forgot about that method.
1.) From the API point of view the SessionDAO is an implementation detail,
and getting access to those details would require some casting.
They are not part of the main API because not all SessionManagers would use
a DAO, it's possible they are stored some other way.
It's possible to set them in an INI file because that operates on bean
properties (getters/setters).
2.) Many of Shiro's implementations make heavy use of Inheritance. The is
more obvious if you look at a Realm implementation
On Fri, Nov 6, 2020 at 5:24 AM Alex Orlov <oo...@mail.ru> wrote:
> I found this wonderful method :
>
> SessionDAO#Collection<Session> getActiveSessions()
>
> and want to use it. And I have two questions:
>
> 1) Why does API hide top level objects for which we have interfaces?
> For example, there is no API
> SecurityManager.getSessionManager().getSessionDAO()?
> It seems to be unusual for me. Besides it is possible to set them via ini:
>
>
> sessionManager = com.foo.my.SessionManagerImplementation
> securityManager.sessionManager = $sessionManage
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> securityManager.sessionManager = $sessionManager # Configure a SessionDAO
> and then set it: securityManager.sessionManager.sessionDAO = $sessionDAO
>
> Maybe it is necessary to change API?
>
> 2) Why does SecurityManager extend SessionManager?
> As I understand SecurityManager has a SessionManager, but not is a
> SessionManager:
>
> public interface SecurityManager extends Authenticator, Authorizer,
> SessionManager
>
> Could anyone explain?
>
>
>
Re[4]: How to get all logged in Subjects
Posted by Alex Orlov <oo...@mail.ru>.
I found this wonderful method :
SessionDAO#Collection<Session> getActiveSessions()
and want to use it. And I have two questions:
1) Why does API hide top level objects for which we have interfaces?
For example, there is no API SecurityManager.getSessionManager().getSessionDAO()?
It seems to be unusual for me. Besides it is possible to set them via ini:
sessionManager = com.foo.my.SessionManagerImplementation
securityManager.sessionManager = $sessionManage
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager # Configure a SessionDAO and then set it: securityManager.sessionManager.sessionDAO = $sessionDAO
Maybe it is necessary to change API?
2) Why does SecurityManager extend SessionManager?
As I understand SecurityManager has a SessionManager, but not is a SessionManager:
public interface SecurityManager extends Authenticator, Authorizer, SessionManager
Could anyone explain?
Re: How to get all logged in Subjects
Posted by Francois Papon <fr...@openobject.fr>.
You can also play with AbstractValidatingSessionManager and
SessionValidationScheduler to scheduled the clean up
regards,.
François
fpapon@apache.org
Le 05/11/2020 à 21:52, Brian Demers a écrit :
> This isn't something Shiro covers directly, but it possible with a
> little custom code
>
> You could write a custom SessionDAO, or you could use an existing one,
> and just access the data store to query what you need. For example, if
> you used a DB, you could just query the DB. It should be similar with
> a something like Hazelcast too.
>
> On Thu, Nov 5, 2020 at 3:41 PM Alex Orlov <ooo_saturn7@mail.ru
> <ma...@mail.ru>> wrote:
>
> Do I understand you right — you are talking about implementing
> custom SessionDAO
> and adding it to session manager?
>
> sessionDAO = com.foo.my.SessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
>
> So, I always can a) get events when subject logs in (create) and
> logs out (delete) 2) find currently logged in Subjects?
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Четверг, 5 ноября 2020, 23:12 +03:00 от Benjamin Marwell
> <bmarwell@apache.org <ma...@apache.org>>:
>
> It depends.
>
> I use jwt tokens. No chance here to invalidate them, but they
> get invalidate pretty quickly anyway.
>
> But you can use any *distributed* session storage you like: a
> DBMS, a memory grid like hazelcast, or create your own local
> storage and sync them via jGroups, or even EJBs. It doesn't
> matter as long as all of the nodes use the same single or
> synchronously updated storage.
>
> You can then iterate over all sessions in one of the nodes or
> via a sidecar container/app and invalidate them.
>
> Just make sure you enter the session storage class in the
> shiro.ini.
>
> HTH
> Ben
>
> On Thu, 5 Nov 2020, 20:47 Andreas Reichel,
> <andreas@manticore-projects.com
> <//e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>>
> wrote:
>
> Good evening Alex,
>
> in my understanding this is not possible: Shiro works on
> the client side and provides an abstraction of
> authenticating/authorizing a client against a server.
> But you look for a registry of sessions on the server
> side. That should not be Shiro's concern.
>
> Best regards
> Andreas
>
>
> On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
>> Hi all,
>>
>> Could anyone say, how I can to get all logged in
>> subjects. For example, Subjects
>> have roles, roles have permissions. If in application a
>> role were modified dynamically
>> (for example in DB), I want to get all logged in
>> subjects, iterate them, find those,
>> who have this role, collect their principals and call in
>> my realm method
>> clearCachedAuthorizationInfo(PrincipalCollection principals).
>>
>>
>> --
>> Best regards, Alex Orlov
>
>
>
>
Re: Re[2]: How to get all logged in Subjects
Posted by Brian Demers <br...@gmail.com>.
This isn't something Shiro covers directly, but it possible with a little
custom code
You could write a custom SessionDAO, or you could use an existing one, and
just access the data store to query what you need. For example, if you used
a DB, you could just query the DB. It should be similar with a something
like Hazelcast too.
On Thu, Nov 5, 2020 at 3:41 PM Alex Orlov <oo...@mail.ru> wrote:
> Do I understand you right — you are talking about implementing custom
> SessionDAO
> and adding it to session manager?
>
> sessionDAO = com.foo.my.SessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
>
> So, I always can a) get events when subject logs in (create) and logs out
> (delete) 2) find currently logged in Subjects?
>
>
> --
> Best regards, Alex Orlov
>
>
>
> Четверг, 5 ноября 2020, 23:12 +03:00 от Benjamin Marwell <
> bmarwell@apache.org>:
>
> It depends.
>
> I use jwt tokens. No chance here to invalidate them, but they get
> invalidate pretty quickly anyway.
>
> But you can use any *distributed* session storage you like: a DBMS, a
> memory grid like hazelcast, or create your own local storage and sync them
> via jGroups, or even EJBs. It doesn't matter as long as all of the nodes
> use the same single or synchronously updated storage.
>
> You can then iterate over all sessions in one of the nodes or via a
> sidecar container/app and invalidate them.
>
> Just make sure you enter the session storage class in the shiro.ini.
>
> HTH
> Ben
>
> On Thu, 5 Nov 2020, 20:47 Andreas Reichel, <andreas@manticore-projects.com
> <//e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>>
> wrote:
>
> Good evening Alex,
>
> in my understanding this is not possible: Shiro works on the client side
> and provides an abstraction of authenticating/authorizing a client against
> a server.
> But you look for a registry of sessions on the server side. That should
> not be Shiro's concern.
>
> Best regards
> Andreas
>
>
> On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
>
> Hi all,
>
> Could anyone say, how I can to get all logged in subjects. For example,
> Subjects
> have roles, roles have permissions. If in application a role were modified
> dynamically
> (for example in DB), I want to get all logged in subjects, iterate them,
> find those,
> who have this role, collect their principals and call in my realm method
> clearCachedAuthorizationInfo(PrincipalCollection principals).
>
>
> --
> Best regards, Alex Orlov
>
>
>
>
>
Re[2]: How to get all logged in Subjects
Posted by Alex Orlov <oo...@mail.ru>.
Do I understand you right — you are talking about implementing custom SessionDAO
and adding it to session manager?
sessionDAO = com.foo.my.SessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
So, I always can a) get events when subject logs in (create) and logs out (delete) 2) find currently logged in Subjects?
--
Best regards, Alex Orlov
>Четверг, 5 ноября 2020, 23:12 +03:00 от Benjamin Marwell <bm...@apache.org>:
>
>It depends.
>
>I use jwt tokens. No chance here to invalidate them, but they get invalidate pretty quickly anyway.
>
>But you can use any *distributed* session storage you like: a DBMS, a memory grid like hazelcast, or create your own local storage and sync them via jGroups, or even EJBs. It doesn't matter as long as all of the nodes use the same single or synchronously updated storage.
>
>You can then iterate over all sessions in one of the nodes or via a sidecar container/app and invalidate them.
>
>Just make sure you enter the session storage class in the shiro.ini.
>
>HTH
>Ben
>On Thu, 5 Nov 2020, 20:47 Andreas Reichel, < andreas@manticore-projects.com > wrote:
>>Good evening Alex,
>>
>>in my understanding this is not possible: Shiro works on the client side and provides an abstraction of authenticating/authorizing a client against a server.
>>But you look for a registry of sessions on the server side. That should not be Shiro's concern.
>>
>>Best regards
>>Andreas
>>
>>
>>On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
>>>Hi all,
>>>
>>>Could anyone say, how I can to get all logged in subjects. For example, Subjects
>>>have roles, roles have permissions. If in application a role were modified dynamically
>>>(for example in DB), I want to get all logged in subjects, iterate them, find those,
>>>who have this role, collect their principals and call in my realm method
>>>clearCachedAuthorizationInfo(PrincipalCollection principals).
>>>
>>>
>>>--
>>>Best regards, Alex Orlov
>>
Re: How to get all logged in Subjects
Posted by Benjamin Marwell <bm...@apache.org>.
It depends.
I use jwt tokens. No chance here to invalidate them, but they get
invalidate pretty quickly anyway.
But you can use any *distributed* session storage you like: a DBMS, a
memory grid like hazelcast, or create your own local storage and sync them
via jGroups, or even EJBs. It doesn't matter as long as all of the nodes
use the same single or synchronously updated storage.
You can then iterate over all sessions in one of the nodes or via a sidecar
container/app and invalidate them.
Just make sure you enter the session storage class in the shiro.ini.
HTH
Ben
On Thu, 5 Nov 2020, 20:47 Andreas Reichel, <an...@manticore-projects.com>
wrote:
> Good evening Alex,
>
> in my understanding this is not possible: Shiro works on the client side
> and provides an abstraction of authenticating/authorizing a client against
> a server.
> But you look for a registry of sessions on the server side. That should
> not be Shiro's concern.
>
> Best regards
> Andreas
>
> On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
>
> Hi all,
>
> Could anyone say, how I can to get all logged in subjects. For example,
> Subjects
> have roles, roles have permissions. If in application a role were modified
> dynamically
> (for example in DB), I want to get all logged in subjects, iterate them,
> find those,
> who have this role, collect their principals and call in my realm method
> clearCachedAuthorizationInfo(PrincipalCollection principals).
>
>
> --
> Best regards, Alex Orlov
>
>
>
Re: How to get all logged in Subjects
Posted by Andreas Reichel <an...@manticore-projects.com>.
Good evening Alex,
in my understanding this is not possible: Shiro works on the client
side and provides an abstraction of authenticating/authorizing a client
against a server.
But you look for a registry of sessions on the server side. That should
not be Shiro's concern.
Best regards
Andreas
On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote:
> Hi all,
>
> Could anyone say, how I can to get all logged in subjects. For
> example, Subjects
> have roles, roles have permissions. If in application a role were
> modified dynamically
> (for example in DB), I want to get all logged in subjects, iterate
> them, find those,
> who have this role, collect their principals and call in my realm
> method
> clearCachedAuthorizationInfo(PrincipalCollection principals).
>
>
> --
> Best regards, Alex Orlov