How to force reauthorization.

[James Whetstone <ja...@comcast.net>]

Hi everyone,

My web app allows users to create resources dynamically through a web service.  When this occurs, the user that is adding the new resource gets permission to read the resource.  

For example, the use that add the new resource will be given the following permission:  "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".   The permissions are stored as strings in the database.

So my problem is that if the user tries to read the resource immediately following the creation of the resource, the user is denied because the user has already been authorized through my custom realm and the new permission hasn't been processed out of the database as would normally occur when user authorization occurs.

So I'm wondering if there is a way to force reauthorization, or otherwise handle this type of dynamic update to permissions, maybe by updating the Subject's authorization info dynamically.

Thank you!
James

Re: How to force reauthorization.

[James Whetstone <ja...@comcast.net>]

Thank for your response Les.

So I came up with this code snippet where my Realm implementation has a 
method called 'invalidateUser' that calls clearCachedAuthorizationInfo(). Is 
this the way you would do it?

RealmSecurityManager mgr = 
(RealmSecurityManager)SecurityUtils.getSecurityManager();

Collection<Realm> realmCollection = mgr.getRealms();

Iterator<Realm> i = realmCollection.iterator();

//There should be only one realm

if(i.hasNext()) {

MyRealm r = (MyRealm)i.next();

r.invalidateUser(SecurityUtils.getSubject().getPrincipals());

}

Thank you!
James

----- Original Message ----- 
From: "Les Hazlewood" <lh...@apache.org>
To: <us...@shiro.apache.org>
Sent: Friday, December 16, 2011 11:25 AM
Subject: Re: How to force reauthorization.


I think it is much easier if you just call the 
'clearCachedAuthorizationInfo(PrincipalCollection)' method on the relevant 
Realm instance.  This will invalidate the authorization cache entry for the 
corresponding Subject as necessary.

This is the easiest approach when roles/permissions need to change at 
runtime.

HTH,

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Dec 15, 2011, at 10:49 AM, James Whetstone wrote:

> Hi Manoj,
>
> I'm not sure I understand what you're suggesting on this.  I think the 
> cache manager behaves as you've described out of the box since I'm using 
> the built in ehcache cache manager that Shiro provides out of the box. 
> I.e. It support multiple clients by virtue of the fact that the cache 
> manager implements
> public final <K, V> Cache<K, V> getCache(String name) throws 
> CacheException;So this implies that you can create named caches, one for 
> each client. And I've set up my web app to use it according to Shiro's 
> guidelines (using INI configuration parameters).
>
> If I'm not mistaken, all that is required is that I get the instance of 
> the cache manager, and update the cache by removing the entry for the 
> current Subject.
>
> Does this make sense to you?
>
> Thanks!
> James
>
> ----- Original Message ----- From: "Manoj Khangaonkar" 
> <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Wednesday, December 14, 2011 2:17 PM
> Subject: Re: How to force reauthorization.
>
>
> Hi James,
>
> That should work. But clearly is less than elegant.
>
> To do better Architecturally, I would look at the cache as structure
> that can have many clients, of which shiro is one client
> and the DAO is another. Just like a database where multiple clients
> can insert/update/delete rows.
>
> Manoj
>
> On Wed, Dec 14, 2011 at 8:24 AM, James Whetstone
> <ja...@comcast.net> wrote:
>> Hi Manoj,
>>
>> I should have seen this :-) . So I'm assuming that when I obtain my
>> security manager instance I should do it by casting the result like this:
>>
>> CacheSecurityManager mgr = (CacheSecurityManager)
>> SecurityUtils.getSecurityManager();
>>
>> Since I've configured the system to use a cache manager, this should 
>> work,
>> right?
>>
>> Thanks!
>>
>> James
>>
>> ----- Original Message ----- From: "Manoj Khangaonkar"
>> <kh...@gmail.com>
>> To: <us...@shiro.apache.org>
>> Sent: Wednesday, December 14, 2011 7:12 AM
>>
>> Subject: Re: How to force reauthorization.
>>
>>
>> James,
>>
>> SecurityManager or more specifically CacheSecurityManager does have
>> get/set methods for the cacheManager.
>>
>> On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone
>> <ja...@comcast.net> wrote:
>>>
>>> Hi Manoj,
>>>
>>> Thanks for your help on this. So I need some direction with regards to 
>>> how
>>> to access and use the cache.
>>>
>>> I've configured by webapp with the following ini snippet:
>>>
>>> cassandraRealm = com.structuredcode.web.MyRealm
>>>
>>> securityManager.realms = $cassandraRealm
>>>
>>> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
>>>
>>> securityManager.cacheManager = $cacheManager
>>>
>>> So in my servlet, I'm upding the permissions using my DAO, as you've
>>> desribed, but at that point, I don't know how to obtain my cache manager
>>> instance. I've looked through the API documentation for the
>>> SecurityManager and Subject classes thinking I could obtain the cache
>>> manager through of these objects, but Idon't see an API call for this.
>>>
>>> What am I missing?
>>>
>>> Thank you!
>>>
>>> James
>>>
>>>
>>>
>>> ----- Original Message ----- From: "Manoj Khangaonkar"
>>> <kh...@gmail.com>
>>> To: <us...@shiro.apache.org>
>>> Sent: Tuesday, December 13, 2011 9:36 PM
>>>
>>> Subject: Re: How to force reauthorization.
>>>
>>>
>>> Hi James,
>>>
>>> You don'nt need to do this using the REALM.
>>>
>>> The DAO that writes the permission to database is outside the scope of
>>> Shiro. After writing to database,
>>> this DAO can either update the cache or evict the item from the cache.
>>>
>>> Manoj
>>>
>>> On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
>>> <ja...@comcast.net> wrote:
>>>>
>>>>
>>>> That makes sense. But I'm unclear no how to obtain an instance of my
>>>> realm
>>>> implementation (which extends AuthorizingRealm) because I don't know 
>>>> how
>>>> the
>>>> realm manages the cache.
>>>>
>>>> In other words, do I need to make my realm a singleton? Or is it ok to
>>>> just
>>>> create a new one wherever I need to (and the cache automatically uses 
>>>> the
>>>> cache manager I specified in my ini file)?
>>>>
>>>> Also, once I get my instance of the AuthorizingRealm, I'm unclear on 
>>>> how
>>>> to
>>>> update or clear the AuthorizationInfo for a particular subject because
>>>> the
>>>> API calls that look like what I need are protected. E.g.
>>>> clearCachedAuthorizationInfo() is protected.
>>>>
>>>> I'm thinking I need to create a custom method on my realm that
>>>> invalidates
>>>> the AuthorizationInfo for the given subject.
>>>>
>>>> Can anyone advise me on how to best implement this given Shiro's 
>>>> design?
>>>>
>>>> ---James
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ----- Original Message ----- From: "Manoj Khangaonkar"
>>>> <kh...@gmail.com>
>>>> To: <us...@shiro.apache.org>
>>>> Sent: Tuesday, December 13, 2011 12:07 PM
>>>> Subject: Re: How to force reauthorization.
>>>>
>>>>
>>>>
>>>> Hi James,
>>>>
>>>> If your AuthorizationInfo is cached, you might need to update the cache
>>>> when
>>>> new permissions are created for the principal.
>>>>
>>>> Manoj
>>>>
>>>> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
>>>> <ja...@comcast.net> wrote:
>>>>>
>>>>>
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>> My web app allows users to create resources dynamically through a web
>>>>> service. When this occurs, the user that is adding the new resource 
>>>>> gets
>>>>> permission to read the resource.
>>>>>
>>>>> For example, the use that add the new resource will be given the
>>>>> following
>>>>> permission:
>>>>> "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>>>>> The permissions are stored as strings in the database.
>>>>>
>>>>> So my problem is that if the user tries to read the resource 
>>>>> immediately
>>>>> following the creation of the resource, the user is denied because the
>>>>> user
>>>>> has already been authorized through my custom realm and the new
>>>>> permission
>>>>> hasn't been processed out of the database as would normally occur when
>>>>> user
>>>>> authorization occurs.
>>>>>
>>>>> So I'm wondering if there is a way to force reauthorization, or
>>>>> otherwise
>>>>> handle this type of dynamic update to permissions, maybe by updating 
>>>>> the
>>>>> Subject's authorization info dynamically.
>>>>>
>>>>> Thank you!
>>>>> James
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> http://khangaonkar.blogspot.com/
>>>>
>>>
>>>
>>>
>>> --
>>> http://khangaonkar.blogspot.com/
>>>
>>
>>
>>
>> --
>> http://khangaonkar.blogspot.com/
>>
>
>
>
> -- 
> http://khangaonkar.blogspot.com/
>

Re: How to force reauthorization.

[Les Hazlewood <lh...@apache.org>]

I think it is much easier if you just call the 'clearCachedAuthorizationInfo(PrincipalCollection)' method on the relevant Realm instance.  This will invalidate the authorization cache entry for the corresponding Subject as necessary.

This is the easiest approach when roles/permissions need to change at runtime.

HTH,

--
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com

On Dec 15, 2011, at 10:49 AM, James Whetstone wrote:

> Hi Manoj,
> 
> I'm not sure I understand what you're suggesting on this.  I think the cache manager behaves as you've described out of the box since I'm using the built in ehcache cache manager that Shiro provides out of the box.  I.e. It support multiple clients by virtue of the fact that the cache manager implements
> public final <K, V> Cache<K, V> getCache(String name) throws CacheException;So this implies that you can create named caches, one for each client. And I've set up my web app to use it according to Shiro's guidelines (using INI configuration parameters).
> 
> If I'm not mistaken, all that is required is that I get the instance of the cache manager, and update the cache by removing the entry for the current Subject.
> 
> Does this make sense to you?
> 
> Thanks!
> James
> 
> ----- Original Message ----- From: "Manoj Khangaonkar" <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Wednesday, December 14, 2011 2:17 PM
> Subject: Re: How to force reauthorization.
> 
> 
> Hi James,
> 
> That should work. But clearly is less than elegant.
> 
> To do better Architecturally, I would look at the cache as structure
> that can have many clients, of which shiro is one client
> and the DAO is another. Just like a database where multiple clients
> can insert/update/delete rows.
> 
> Manoj
> 
> On Wed, Dec 14, 2011 at 8:24 AM, James Whetstone
> <ja...@comcast.net> wrote:
>> Hi Manoj,
>> 
>> I should have seen this :-) . So I'm assuming that when I obtain my
>> security manager instance I should do it by casting the result like this:
>> 
>> CacheSecurityManager mgr = (CacheSecurityManager)
>> SecurityUtils.getSecurityManager();
>> 
>> Since I've configured the system to use a cache manager, this should work,
>> right?
>> 
>> Thanks!
>> 
>> James
>> 
>> ----- Original Message ----- From: "Manoj Khangaonkar"
>> <kh...@gmail.com>
>> To: <us...@shiro.apache.org>
>> Sent: Wednesday, December 14, 2011 7:12 AM
>> 
>> Subject: Re: How to force reauthorization.
>> 
>> 
>> James,
>> 
>> SecurityManager or more specifically CacheSecurityManager does have
>> get/set methods for the cacheManager.
>> 
>> On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone
>> <ja...@comcast.net> wrote:
>>> 
>>> Hi Manoj,
>>> 
>>> Thanks for your help on this. So I need some direction with regards to how
>>> to access and use the cache.
>>> 
>>> I've configured by webapp with the following ini snippet:
>>> 
>>> cassandraRealm = com.structuredcode.web.MyRealm
>>> 
>>> securityManager.realms = $cassandraRealm
>>> 
>>> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
>>> 
>>> securityManager.cacheManager = $cacheManager
>>> 
>>> So in my servlet, I'm upding the permissions using my DAO, as you've
>>> desribed, but at that point, I don't know how to obtain my cache manager
>>> instance. I've looked through the API documentation for the
>>> SecurityManager and Subject classes thinking I could obtain the cache
>>> manager through of these objects, but Idon't see an API call for this.
>>> 
>>> What am I missing?
>>> 
>>> Thank you!
>>> 
>>> James
>>> 
>>> 
>>> 
>>> ----- Original Message ----- From: "Manoj Khangaonkar"
>>> <kh...@gmail.com>
>>> To: <us...@shiro.apache.org>
>>> Sent: Tuesday, December 13, 2011 9:36 PM
>>> 
>>> Subject: Re: How to force reauthorization.
>>> 
>>> 
>>> Hi James,
>>> 
>>> You don'nt need to do this using the REALM.
>>> 
>>> The DAO that writes the permission to database is outside the scope of
>>> Shiro. After writing to database,
>>> this DAO can either update the cache or evict the item from the cache.
>>> 
>>> Manoj
>>> 
>>> On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
>>> <ja...@comcast.net> wrote:
>>>> 
>>>> 
>>>> That makes sense. But I'm unclear no how to obtain an instance of my
>>>> realm
>>>> implementation (which extends AuthorizingRealm) because I don't know how
>>>> the
>>>> realm manages the cache.
>>>> 
>>>> In other words, do I need to make my realm a singleton? Or is it ok to
>>>> just
>>>> create a new one wherever I need to (and the cache automatically uses the
>>>> cache manager I specified in my ini file)?
>>>> 
>>>> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how
>>>> to
>>>> update or clear the AuthorizationInfo for a particular subject because
>>>> the
>>>> API calls that look like what I need are protected. E.g.
>>>> clearCachedAuthorizationInfo() is protected.
>>>> 
>>>> I'm thinking I need to create a custom method on my realm that
>>>> invalidates
>>>> the AuthorizationInfo for the given subject.
>>>> 
>>>> Can anyone advise me on how to best implement this given Shiro's design?
>>>> 
>>>> ---James
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> ----- Original Message ----- From: "Manoj Khangaonkar"
>>>> <kh...@gmail.com>
>>>> To: <us...@shiro.apache.org>
>>>> Sent: Tuesday, December 13, 2011 12:07 PM
>>>> Subject: Re: How to force reauthorization.
>>>> 
>>>> 
>>>> 
>>>> Hi James,
>>>> 
>>>> If your AuthorizationInfo is cached, you might need to update the cache
>>>> when
>>>> new permissions are created for the principal.
>>>> 
>>>> Manoj
>>>> 
>>>> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
>>>> <ja...@comcast.net> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> Hi everyone,
>>>>> 
>>>>> My web app allows users to create resources dynamically through a web
>>>>> service. When this occurs, the user that is adding the new resource gets
>>>>> permission to read the resource.
>>>>> 
>>>>> For example, the use that add the new resource will be given the
>>>>> following
>>>>> permission:
>>>>> "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>>>>> The permissions are stored as strings in the database.
>>>>> 
>>>>> So my problem is that if the user tries to read the resource immediately
>>>>> following the creation of the resource, the user is denied because the
>>>>> user
>>>>> has already been authorized through my custom realm and the new
>>>>> permission
>>>>> hasn't been processed out of the database as would normally occur when
>>>>> user
>>>>> authorization occurs.
>>>>> 
>>>>> So I'm wondering if there is a way to force reauthorization, or
>>>>> otherwise
>>>>> handle this type of dynamic update to permissions, maybe by updating the
>>>>> Subject's authorization info dynamically.
>>>>> 
>>>>> Thank you!
>>>>> James
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> http://khangaonkar.blogspot.com/
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> http://khangaonkar.blogspot.com/
>>> 
>> 
>> 
>> 
>> --
>> http://khangaonkar.blogspot.com/
>> 
> 
> 
> 
> -- 
> http://khangaonkar.blogspot.com/
> 

Re: How to force reauthorization.

[James Whetstone <ja...@comcast.net>]

Hi Manoj,

I'm not sure I understand what you're suggesting on this.  I think the cache 
manager behaves as you've described out of the box since I'm using the built 
in ehcache cache manager that Shiro provides out of the box.  I.e. It 
support multiple clients by virtue of the fact that the cache manager 
implements
public final <K, V> Cache<K, V> getCache(String name) throws 
CacheException;So this implies that you can create named caches, one for 
each client. And I've set up my web app to use it according to Shiro's 
guidelines (using INI configuration parameters).

If I'm not mistaken, all that is required is that I get the instance of the 
cache manager, and update the cache by removing the entry for the current 
Subject.

Does this make sense to you?

Thanks!
James

----- Original Message ----- 
From: "Manoj Khangaonkar" <kh...@gmail.com>
To: <us...@shiro.apache.org>
Sent: Wednesday, December 14, 2011 2:17 PM
Subject: Re: How to force reauthorization.


Hi James,

That should work. But clearly is less than elegant.

To do better Architecturally, I would look at the cache as structure
that can have many clients, of which shiro is one client
and the DAO is another. Just like a database where multiple clients
can insert/update/delete rows.

Manoj

On Wed, Dec 14, 2011 at 8:24 AM, James Whetstone
<ja...@comcast.net> wrote:
> Hi Manoj,
>
> I should have seen this :-) . So I'm assuming that when I obtain my
> security manager instance I should do it by casting the result like this:
>
> CacheSecurityManager mgr = (CacheSecurityManager)
> SecurityUtils.getSecurityManager();
>
> Since I've configured the system to use a cache manager, this should work,
> right?
>
> Thanks!
>
> James
>
> ----- Original Message ----- From: "Manoj Khangaonkar"
> <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Wednesday, December 14, 2011 7:12 AM
>
> Subject: Re: How to force reauthorization.
>
>
> James,
>
> SecurityManager or more specifically CacheSecurityManager does have
> get/set methods for the cacheManager.
>
> On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone
> <ja...@comcast.net> wrote:
>>
>> Hi Manoj,
>>
>> Thanks for your help on this. So I need some direction with regards to 
>> how
>> to access and use the cache.
>>
>> I've configured by webapp with the following ini snippet:
>>
>> cassandraRealm = com.structuredcode.web.MyRealm
>>
>> securityManager.realms = $cassandraRealm
>>
>> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
>>
>> securityManager.cacheManager = $cacheManager
>>
>> So in my servlet, I'm upding the permissions using my DAO, as you've
>> desribed, but at that point, I don't know how to obtain my cache manager
>> instance. I've looked through the API documentation for the
>> SecurityManager and Subject classes thinking I could obtain the cache
>> manager through of these objects, but Idon't see an API call for this.
>>
>> What am I missing?
>>
>> Thank you!
>>
>> James
>>
>>
>>
>> ----- Original Message ----- From: "Manoj Khangaonkar"
>> <kh...@gmail.com>
>> To: <us...@shiro.apache.org>
>> Sent: Tuesday, December 13, 2011 9:36 PM
>>
>> Subject: Re: How to force reauthorization.
>>
>>
>> Hi James,
>>
>> You don'nt need to do this using the REALM.
>>
>> The DAO that writes the permission to database is outside the scope of
>> Shiro. After writing to database,
>> this DAO can either update the cache or evict the item from the cache.
>>
>> Manoj
>>
>> On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
>> <ja...@comcast.net> wrote:
>>>
>>>
>>> That makes sense. But I'm unclear no how to obtain an instance of my
>>> realm
>>> implementation (which extends AuthorizingRealm) because I don't know how
>>> the
>>> realm manages the cache.
>>>
>>> In other words, do I need to make my realm a singleton? Or is it ok to
>>> just
>>> create a new one wherever I need to (and the cache automatically uses 
>>> the
>>> cache manager I specified in my ini file)?
>>>
>>> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how
>>> to
>>> update or clear the AuthorizationInfo for a particular subject because
>>> the
>>> API calls that look like what I need are protected. E.g.
>>> clearCachedAuthorizationInfo() is protected.
>>>
>>> I'm thinking I need to create a custom method on my realm that
>>> invalidates
>>> the AuthorizationInfo for the given subject.
>>>
>>> Can anyone advise me on how to best implement this given Shiro's design?
>>>
>>> ---James
>>>
>>>
>>>
>>>
>>>
>>> ----- Original Message ----- From: "Manoj Khangaonkar"
>>> <kh...@gmail.com>
>>> To: <us...@shiro.apache.org>
>>> Sent: Tuesday, December 13, 2011 12:07 PM
>>> Subject: Re: How to force reauthorization.
>>>
>>>
>>>
>>> Hi James,
>>>
>>> If your AuthorizationInfo is cached, you might need to update the cache
>>> when
>>> new permissions are created for the principal.
>>>
>>> Manoj
>>>
>>> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
>>> <ja...@comcast.net> wrote:
>>>>
>>>>
>>>>
>>>> Hi everyone,
>>>>
>>>> My web app allows users to create resources dynamically through a web
>>>> service. When this occurs, the user that is adding the new resource 
>>>> gets
>>>> permission to read the resource.
>>>>
>>>> For example, the use that add the new resource will be given the
>>>> following
>>>> permission:
>>>> "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>>>> The permissions are stored as strings in the database.
>>>>
>>>> So my problem is that if the user tries to read the resource 
>>>> immediately
>>>> following the creation of the resource, the user is denied because the
>>>> user
>>>> has already been authorized through my custom realm and the new
>>>> permission
>>>> hasn't been processed out of the database as would normally occur when
>>>> user
>>>> authorization occurs.
>>>>
>>>> So I'm wondering if there is a way to force reauthorization, or
>>>> otherwise
>>>> handle this type of dynamic update to permissions, maybe by updating 
>>>> the
>>>> Subject's authorization info dynamically.
>>>>
>>>> Thank you!
>>>> James
>>>>
>>>
>>>
>>>
>>> --
>>> http://khangaonkar.blogspot.com/
>>>
>>
>>
>>
>> --
>> http://khangaonkar.blogspot.com/
>>
>
>
>
> --
> http://khangaonkar.blogspot.com/
>



-- 
http://khangaonkar.blogspot.com/

Re: How to force reauthorization.

[Manoj Khangaonkar <kh...@gmail.com>]

Hi James,

That should work. But clearly is less than elegant.

To do better Architecturally, I would look at the cache as structure
that can have many clients, of which shiro is one client
and the DAO is another. Just like a database where multiple clients
can insert/update/delete rows.

Manoj

On Wed, Dec 14, 2011 at 8:24 AM, James Whetstone
<ja...@comcast.net> wrote:
> Hi Manoj,
>
> I should have seen this :-) .  So I'm assuming that when I obtain my
> security manager instance I should do it by casting the result like this:
>
> CacheSecurityManager mgr = (CacheSecurityManager)
> SecurityUtils.getSecurityManager();
>
> Since I've configured the system to use a cache manager, this should work,
> right?
>
> Thanks!
>
> James
>
> ----- Original Message ----- From: "Manoj Khangaonkar"
> <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Wednesday, December 14, 2011 7:12 AM
>
> Subject: Re: How to force reauthorization.
>
>
> James,
>
> SecurityManager or more specifically CacheSecurityManager does have
> get/set methods for the cacheManager.
>
> On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone
> <ja...@comcast.net> wrote:
>>
>> Hi Manoj,
>>
>> Thanks for your help on this. So I need some direction with regards to how
>> to access and use the cache.
>>
>> I've configured by webapp with the following ini snippet:
>>
>> cassandraRealm = com.structuredcode.web.MyRealm
>>
>> securityManager.realms = $cassandraRealm
>>
>> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
>>
>> securityManager.cacheManager = $cacheManager
>>
>> So in my servlet, I'm upding the permissions using my DAO, as you've
>> desribed, but at that point, I don't know how to obtain my cache manager
>> instance. I've looked through the API documentation for the
>> SecurityManager and Subject classes thinking I could obtain the cache
>> manager through of these objects, but Idon't see an API call for this.
>>
>> What am I missing?
>>
>> Thank you!
>>
>> James
>>
>>
>>
>> ----- Original Message ----- From: "Manoj Khangaonkar"
>> <kh...@gmail.com>
>> To: <us...@shiro.apache.org>
>> Sent: Tuesday, December 13, 2011 9:36 PM
>>
>> Subject: Re: How to force reauthorization.
>>
>>
>> Hi James,
>>
>> You don'nt need to do this using the REALM.
>>
>> The DAO that writes the permission to database is outside the scope of
>> Shiro. After writing to database,
>> this DAO can either update the cache or evict the item from the cache.
>>
>> Manoj
>>
>> On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
>> <ja...@comcast.net> wrote:
>>>
>>>
>>> That makes sense. But I'm unclear no how to obtain an instance of my
>>> realm
>>> implementation (which extends AuthorizingRealm) because I don't know how
>>> the
>>> realm manages the cache.
>>>
>>> In other words, do I need to make my realm a singleton? Or is it ok to
>>> just
>>> create a new one wherever I need to (and the cache automatically uses the
>>> cache manager I specified in my ini file)?
>>>
>>> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how
>>> to
>>> update or clear the AuthorizationInfo for a particular subject because
>>> the
>>> API calls that look like what I need are protected. E.g.
>>> clearCachedAuthorizationInfo() is protected.
>>>
>>> I'm thinking I need to create a custom method on my realm that
>>> invalidates
>>> the AuthorizationInfo for the given subject.
>>>
>>> Can anyone advise me on how to best implement this given Shiro's design?
>>>
>>> ---James
>>>
>>>
>>>
>>>
>>>
>>> ----- Original Message ----- From: "Manoj Khangaonkar"
>>> <kh...@gmail.com>
>>> To: <us...@shiro.apache.org>
>>> Sent: Tuesday, December 13, 2011 12:07 PM
>>> Subject: Re: How to force reauthorization.
>>>
>>>
>>>
>>> Hi James,
>>>
>>> If your AuthorizationInfo is cached, you might need to update the cache
>>> when
>>> new permissions are created for the principal.
>>>
>>> Manoj
>>>
>>> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
>>> <ja...@comcast.net> wrote:
>>>>
>>>>
>>>>
>>>> Hi everyone,
>>>>
>>>> My web app allows users to create resources dynamically through a web
>>>> service. When this occurs, the user that is adding the new resource gets
>>>> permission to read the resource.
>>>>
>>>> For example, the use that add the new resource will be given the
>>>> following
>>>> permission:
>>>> "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>>>> The permissions are stored as strings in the database.
>>>>
>>>> So my problem is that if the user tries to read the resource immediately
>>>> following the creation of the resource, the user is denied because the
>>>> user
>>>> has already been authorized through my custom realm and the new
>>>> permission
>>>> hasn't been processed out of the database as would normally occur when
>>>> user
>>>> authorization occurs.
>>>>
>>>> So I'm wondering if there is a way to force reauthorization, or
>>>> otherwise
>>>> handle this type of dynamic update to permissions, maybe by updating the
>>>> Subject's authorization info dynamically.
>>>>
>>>> Thank you!
>>>> James
>>>>
>>>
>>>
>>>
>>> --
>>> http://khangaonkar.blogspot.com/
>>>
>>
>>
>>
>> --
>> http://khangaonkar.blogspot.com/
>>
>
>
>
> --
> http://khangaonkar.blogspot.com/
>



-- 
http://khangaonkar.blogspot.com/

Re: How to force reauthorization.

[James Whetstone <ja...@comcast.net>]

Hi Manoj,

I should have seen this :-) .  So I'm assuming that when I obtain my 
security manager instance I should do it by casting the result like this:

CacheSecurityManager mgr = (CacheSecurityManager) 
SecurityUtils.getSecurityManager();

Since I've configured the system to use a cache manager, this should work, 
right?

Thanks!
James

----- Original Message ----- 
From: "Manoj Khangaonkar" <kh...@gmail.com>
To: <us...@shiro.apache.org>
Sent: Wednesday, December 14, 2011 7:12 AM
Subject: Re: How to force reauthorization.


James,

SecurityManager or more specifically CacheSecurityManager does have
get/set methods for the cacheManager.

On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone
<ja...@comcast.net> wrote:
> Hi Manoj,
>
> Thanks for your help on this. So I need some direction with regards to how
> to access and use the cache.
>
> I've configured by webapp with the following ini snippet:
>
> cassandraRealm = com.structuredcode.web.MyRealm
>
> securityManager.realms = $cassandraRealm
>
> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
>
> securityManager.cacheManager = $cacheManager
>
> So in my servlet, I'm upding the permissions using my DAO, as you've
> desribed, but at that point, I don't know how to obtain my cache manager
> instance. I've looked through the API documentation for the
> SecurityManager and Subject classes thinking I could obtain the cache
> manager through of these objects, but Idon't see an API call for this.
>
> What am I missing?
>
> Thank you!
>
> James
>
>
>
> ----- Original Message ----- From: "Manoj Khangaonkar"
> <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Tuesday, December 13, 2011 9:36 PM
>
> Subject: Re: How to force reauthorization.
>
>
> Hi James,
>
> You don'nt need to do this using the REALM.
>
> The DAO that writes the permission to database is outside the scope of
> Shiro. After writing to database,
> this DAO can either update the cache or evict the item from the cache.
>
> Manoj
>
> On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
> <ja...@comcast.net> wrote:
>>
>> That makes sense. But I'm unclear no how to obtain an instance of my 
>> realm
>> implementation (which extends AuthorizingRealm) because I don't know how
>> the
>> realm manages the cache.
>>
>> In other words, do I need to make my realm a singleton? Or is it ok to
>> just
>> create a new one wherever I need to (and the cache automatically uses the
>> cache manager I specified in my ini file)?
>>
>> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how
>> to
>> update or clear the AuthorizationInfo for a particular subject because 
>> the
>> API calls that look like what I need are protected. E.g.
>> clearCachedAuthorizationInfo() is protected.
>>
>> I'm thinking I need to create a custom method on my realm that 
>> invalidates
>> the AuthorizationInfo for the given subject.
>>
>> Can anyone advise me on how to best implement this given Shiro's design?
>>
>> ---James
>>
>>
>>
>>
>>
>> ----- Original Message ----- From: "Manoj Khangaonkar"
>> <kh...@gmail.com>
>> To: <us...@shiro.apache.org>
>> Sent: Tuesday, December 13, 2011 12:07 PM
>> Subject: Re: How to force reauthorization.
>>
>>
>>
>> Hi James,
>>
>> If your AuthorizationInfo is cached, you might need to update the cache
>> when
>> new permissions are created for the principal.
>>
>> Manoj
>>
>> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
>> <ja...@comcast.net> wrote:
>>>
>>>
>>> Hi everyone,
>>>
>>> My web app allows users to create resources dynamically through a web
>>> service. When this occurs, the user that is adding the new resource gets
>>> permission to read the resource.
>>>
>>> For example, the use that add the new resource will be given the
>>> following
>>> permission: 
>>> "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>>> The permissions are stored as strings in the database.
>>>
>>> So my problem is that if the user tries to read the resource immediately
>>> following the creation of the resource, the user is denied because the
>>> user
>>> has already been authorized through my custom realm and the new
>>> permission
>>> hasn't been processed out of the database as would normally occur when
>>> user
>>> authorization occurs.
>>>
>>> So I'm wondering if there is a way to force reauthorization, or 
>>> otherwise
>>> handle this type of dynamic update to permissions, maybe by updating the
>>> Subject's authorization info dynamically.
>>>
>>> Thank you!
>>> James
>>>
>>
>>
>>
>> --
>> http://khangaonkar.blogspot.com/
>>
>
>
>
> --
> http://khangaonkar.blogspot.com/
>



-- 
http://khangaonkar.blogspot.com/

Re: How to force reauthorization.

[Manoj Khangaonkar <kh...@gmail.com>]

James,

SecurityManager or more specifically CacheSecurityManager does have
get/set methods for the cacheManager.

On Tue, Dec 13, 2011 at 10:07 PM, James Whetstone
<ja...@comcast.net> wrote:
> Hi Manoj,
>
> Thanks for your help on this.  So I need some direction with regards to how
> to access and use the cache.
>
> I've configured by webapp with the following ini snippet:
>
> cassandraRealm = com.structuredcode.web.MyRealm
>
> securityManager.realms = $cassandraRealm
>
> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
>
> securityManager.cacheManager = $cacheManager
>
> So in my servlet, I'm upding the permissions using my DAO, as you've
> desribed, but at that point, I don't know how to obtain my cache manager
> instance.   I've looked through the API documentation for the
> SecurityManager and Subject classes thinking I could obtain the cache
> manager through of these objects, but Idon't see an API call for this.
>
> What am I missing?
>
> Thank you!
>
> James
>
>
>
> ----- Original Message ----- From: "Manoj Khangaonkar"
> <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Tuesday, December 13, 2011 9:36 PM
>
> Subject: Re: How to force reauthorization.
>
>
> Hi James,
>
> You don'nt need to do this using the REALM.
>
> The DAO that writes the permission to database is outside the scope of
> Shiro. After writing to database,
> this DAO can either update the cache or evict the item from the cache.
>
> Manoj
>
> On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
> <ja...@comcast.net> wrote:
>>
>> That makes sense. But I'm unclear no how to obtain an instance of my realm
>> implementation (which extends AuthorizingRealm) because I don't know how
>> the
>> realm manages the cache.
>>
>> In other words, do I need to make my realm a singleton? Or is it ok to
>> just
>> create a new one wherever I need to (and the cache automatically uses the
>> cache manager I specified in my ini file)?
>>
>> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how
>> to
>> update or clear the AuthorizationInfo for a particular subject because the
>> API calls that look like what I need are protected. E.g.
>> clearCachedAuthorizationInfo() is protected.
>>
>> I'm thinking I need to create a custom method on my realm that invalidates
>> the AuthorizationInfo for the given subject.
>>
>> Can anyone advise me on how to best implement this given Shiro's design?
>>
>> ---James
>>
>>
>>
>>
>>
>> ----- Original Message ----- From: "Manoj Khangaonkar"
>> <kh...@gmail.com>
>> To: <us...@shiro.apache.org>
>> Sent: Tuesday, December 13, 2011 12:07 PM
>> Subject: Re: How to force reauthorization.
>>
>>
>>
>> Hi James,
>>
>> If your AuthorizationInfo is cached, you might need to update the cache
>> when
>> new permissions are created for the principal.
>>
>> Manoj
>>
>> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
>> <ja...@comcast.net> wrote:
>>>
>>>
>>> Hi everyone,
>>>
>>> My web app allows users to create resources dynamically through a web
>>> service. When this occurs, the user that is adding the new resource gets
>>> permission to read the resource.
>>>
>>> For example, the use that add the new resource will be given the
>>> following
>>> permission: "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>>> The permissions are stored as strings in the database.
>>>
>>> So my problem is that if the user tries to read the resource immediately
>>> following the creation of the resource, the user is denied because the
>>> user
>>> has already been authorized through my custom realm and the new
>>> permission
>>> hasn't been processed out of the database as would normally occur when
>>> user
>>> authorization occurs.
>>>
>>> So I'm wondering if there is a way to force reauthorization, or otherwise
>>> handle this type of dynamic update to permissions, maybe by updating the
>>> Subject's authorization info dynamically.
>>>
>>> Thank you!
>>> James
>>>
>>
>>
>>
>> --
>> http://khangaonkar.blogspot.com/
>>
>
>
>
> --
> http://khangaonkar.blogspot.com/
>



-- 
http://khangaonkar.blogspot.com/

Re: How to force reauthorization.

[James Whetstone <ja...@comcast.net>]

Hi Manoj,

Thanks for your help on this.  So I need some direction with regards to how 
to access and use the cache.

I've configured by webapp with the following ini snippet:

cassandraRealm = com.structuredcode.web.MyRealm

securityManager.realms = $cassandraRealm

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager

securityManager.cacheManager = $cacheManager

So in my servlet, I'm upding the permissions using my DAO, as you've 
desribed, but at that point, I don't know how to obtain my cache manager 
instance.   I've looked through the API documentation for the 
SecurityManager and Subject classes thinking I could obtain the cache 
manager through of these objects, but Idon't see an API call for this.

What am I missing?

Thank you!
James



----- Original Message ----- 
From: "Manoj Khangaonkar" <kh...@gmail.com>
To: <us...@shiro.apache.org>
Sent: Tuesday, December 13, 2011 9:36 PM
Subject: Re: How to force reauthorization.


Hi James,

You don'nt need to do this using the REALM.

The DAO that writes the permission to database is outside the scope of
Shiro. After writing to database,
this DAO can either update the cache or evict the item from the cache.

Manoj

On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
<ja...@comcast.net> wrote:
> That makes sense. But I'm unclear no how to obtain an instance of my realm
> implementation (which extends AuthorizingRealm) because I don't know how 
> the
> realm manages the cache.
>
> In other words, do I need to make my realm a singleton? Or is it ok to 
> just
> create a new one wherever I need to (and the cache automatically uses the
> cache manager I specified in my ini file)?
>
> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how 
> to
> update or clear the AuthorizationInfo for a particular subject because the
> API calls that look like what I need are protected. E.g.
> clearCachedAuthorizationInfo() is protected.
>
> I'm thinking I need to create a custom method on my realm that invalidates
> the AuthorizationInfo for the given subject.
>
> Can anyone advise me on how to best implement this given Shiro's design?
>
> ---James
>
>
>
>
>
> ----- Original Message ----- From: "Manoj Khangaonkar"
> <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Tuesday, December 13, 2011 12:07 PM
> Subject: Re: How to force reauthorization.
>
>
>
> Hi James,
>
> If your AuthorizationInfo is cached, you might need to update the cache 
> when
> new permissions are created for the principal.
>
> Manoj
>
> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
> <ja...@comcast.net> wrote:
>>
>> Hi everyone,
>>
>> My web app allows users to create resources dynamically through a web
>> service. When this occurs, the user that is adding the new resource gets
>> permission to read the resource.
>>
>> For example, the use that add the new resource will be given the 
>> following
>> permission: "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>> The permissions are stored as strings in the database.
>>
>> So my problem is that if the user tries to read the resource immediately
>> following the creation of the resource, the user is denied because the
>> user
>> has already been authorized through my custom realm and the new 
>> permission
>> hasn't been processed out of the database as would normally occur when
>> user
>> authorization occurs.
>>
>> So I'm wondering if there is a way to force reauthorization, or otherwise
>> handle this type of dynamic update to permissions, maybe by updating the
>> Subject's authorization info dynamically.
>>
>> Thank you!
>> James
>>
>
>
>
> --
> http://khangaonkar.blogspot.com/
>



-- 
http://khangaonkar.blogspot.com/

Re: How to force reauthorization.

[Manoj Khangaonkar <kh...@gmail.com>]

Hi James,

You don'nt need to do this using the REALM.

The DAO that writes the permission to database is outside the scope of
Shiro. After writing to database,
this DAO can either update the cache or evict the item from the cache.

Manoj

On Tue, Dec 13, 2011 at 5:50 PM, James Whetstone
<ja...@comcast.net> wrote:
> That makes sense.  But I'm unclear no how to obtain an instance of my realm
> implementation (which extends AuthorizingRealm) because I don't know how the
> realm manages the cache.
>
> In other words, do I need to make my realm a singleton?  Or is it ok to just
> create a new one wherever I need to (and the cache automatically uses the
> cache manager I specified in my ini file)?
>
> Also, once I get my instance of the AuthorizingRealm, I'm unclear on how to
> update or clear the AuthorizationInfo for a particular subject because the
> API calls that look like what I need are protected.  E.g.
> clearCachedAuthorizationInfo() is protected.
>
> I'm thinking I need to create a custom method on my realm that invalidates
> the AuthorizationInfo for the given subject.
>
> Can anyone advise me on how to best implement this given Shiro's design?
>
> ---James
>
>
>
>
>
> ----- Original Message ----- From: "Manoj Khangaonkar"
> <kh...@gmail.com>
> To: <us...@shiro.apache.org>
> Sent: Tuesday, December 13, 2011 12:07 PM
> Subject: Re: How to force reauthorization.
>
>
>
> Hi James,
>
> If your AuthorizationInfo is cached, you might need to update the cache when
> new permissions are created for the principal.
>
> Manoj
>
> On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
> <ja...@comcast.net> wrote:
>>
>> Hi everyone,
>>
>> My web app allows users to create resources dynamically through a web
>> service. When this occurs, the user that is adding the new resource gets
>> permission to read the resource.
>>
>> For example, the use that add the new resource will be given the following
>> permission: "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
>> The permissions are stored as strings in the database.
>>
>> So my problem is that if the user tries to read the resource immediately
>> following the creation of the resource, the user is denied because the
>> user
>> has already been authorized through my custom realm and the new permission
>> hasn't been processed out of the database as would normally occur when
>> user
>> authorization occurs.
>>
>> So I'm wondering if there is a way to force reauthorization, or otherwise
>> handle this type of dynamic update to permissions, maybe by updating the
>> Subject's authorization info dynamically.
>>
>> Thank you!
>> James
>>
>
>
>
> --
> http://khangaonkar.blogspot.com/
>



-- 
http://khangaonkar.blogspot.com/

Re: How to force reauthorization.

[James Whetstone <ja...@comcast.net>]

That makes sense.  But I'm unclear no how to obtain an instance of my realm 
implementation (which extends AuthorizingRealm) because I don't know how the 
realm manages the cache.

In other words, do I need to make my realm a singleton?  Or is it ok to just 
create a new one wherever I need to (and the cache automatically uses the 
cache manager I specified in my ini file)?

Also, once I get my instance of the AuthorizingRealm, I'm unclear on how to 
update or clear the AuthorizationInfo for a particular subject because the 
API calls that look like what I need are protected.  E.g. 
clearCachedAuthorizationInfo() is protected.

I'm thinking I need to create a custom method on my realm that invalidates 
the AuthorizationInfo for the given subject.

Can anyone advise me on how to best implement this given Shiro's design?

---James





----- Original Message ----- 
From: "Manoj Khangaonkar" <kh...@gmail.com>
To: <us...@shiro.apache.org>
Sent: Tuesday, December 13, 2011 12:07 PM
Subject: Re: How to force reauthorization.


Hi James,

If your AuthorizationInfo is cached, you might need to update the cache when
new permissions are created for the principal.

Manoj

On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
<ja...@comcast.net> wrote:
> Hi everyone,
>
> My web app allows users to create resources dynamically through a web
> service. When this occurs, the user that is adding the new resource gets
> permission to read the resource.
>
> For example, the use that add the new resource will be given the following
> permission: "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
> The permissions are stored as strings in the database.
>
> So my problem is that if the user tries to read the resource immediately
> following the creation of the resource, the user is denied because the 
> user
> has already been authorized through my custom realm and the new permission
> hasn't been processed out of the database as would normally occur when 
> user
> authorization occurs.
>
> So I'm wondering if there is a way to force reauthorization, or otherwise
> handle this type of dynamic update to permissions, maybe by updating the
> Subject's authorization info dynamically.
>
> Thank you!
> James
>



-- 
http://khangaonkar.blogspot.com/

Re: How to force reauthorization.

[Manoj Khangaonkar <kh...@gmail.com>]

Hi James,

If your AuthorizationInfo is cached, you might need to update the cache when
new permissions are created for the principal.

Manoj

On Mon, Dec 12, 2011 at 9:31 PM, James Whetstone
<ja...@comcast.net> wrote:
> Hi everyone,
>
> My web app allows users to create resources dynamically through a web
> service.  When this occurs, the user that is adding the new resource gets
> permission to read the resource.
>
> For example, the use that add the new resource will be given the following
> permission:  "my_resource_type:read:a1cd6635-42a9-4528-bddf-4c994c58cf9a".
> The permissions are stored as strings in the database.
>
> So my problem is that if the user tries to read the resource immediately
> following the creation of the resource, the user is denied because the user
> has already been authorized through my custom realm and the new permission
> hasn't been processed out of the database as would normally occur when user
> authorization occurs.
>
> So I'm wondering if there is a way to force reauthorization, or otherwise
> handle this type of dynamic update to permissions, maybe by updating the
> Subject's authorization info dynamically.
>
> Thank you!
> James
>



-- 
http://khangaonkar.blogspot.com/