You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Stephen McCants <st...@hcs.us.com> on 2013/09/05 21:05:25 UTC

Shiro SSO with dynamic permissions

Hello All,

We have multiple WAR files deployed under one Tomcat instance.  To allow 
for Single Sign On (SSO), we have our own Session DAO that broadcasts to 
all war files when the Sessions are changed and this is working well.

Our next problem is with changing permissions.  If an administrator 
wants to change a user's permissions we want that to take effect 
immediately, not after logout/login.  The WebApp that changes the 
permission flushes the Realm AuthorizationInfo cache for that user.

My current plan is to broadcast AuthorizationInfo changes like we do 
Session changes, but I figured I'd ask if there was a standard way to do 
this or maybe something I've overlooked?

Thanks in advance!

Sincerely,
Stephen McCants

-- 
Stephen McCants
Senior Software Engineer
Healthcare Control Systems
1-877-877-8795 x116

Re: Shiro SSO with dynamic permissions

Posted by Stuart Broad <st...@moogsoft.com>.

Hi Stephen,

Sorry for the brief message.  I'm on my way out the door but hopefully this
will be helpful.

My understanding is the options are either:

1) Combine all the war's.
2) Do you own broadcasting of changes (in what ever manner is good for your
application e.g. call a rest api)
3) Use something like ehcache between all the wars (ehcach basically
multicasts changes)
4) Perhaps some servlets could look up in the db every time (rather than
actually having a 'full apache shiro').

Cheers,

Stuart

On Thu, Sep 5, 2013 at 8:05 PM, Stephen McCants
<st...@hcs.us.com>wrote:

> Hello All,
>
> We have multiple WAR files deployed under one Tomcat instance.  To allow
> for Single Sign On (SSO), we have our own Session DAO that broadcasts to
> all war files when the Sessions are changed and this is working well.
>
> Our next problem is with changing permissions.  If an administrator wants
> to change a user's permissions we want that to take effect immediately, not
> after logout/login.  The WebApp that changes the permission flushes the
> Realm AuthorizationInfo cache for that user.
>
> My current plan is to broadcast AuthorizationInfo changes like we do
> Session changes, but I figured I'd ask if there was a standard way to do
> this or maybe something I've overlooked?
>
> Thanks in advance!
>
> Sincerely,
> Stephen McCants
>
> --
> Stephen McCants
> Senior Software Engineer
> Healthcare Control Systems
> 1-877-877-8795 x116
>
>