Found out why there are no principals in SessionListener#onStop(): On explicit logout: DefaultSubjectDAO#removeFromSession(Subject) removes all principals before SessionListener#onStop() is called. As I understand on logout session will be destroyed in any case. What are the reasons to explicitly clear principals and authenticated flag from session in this case?
Thanks, Alexandr Vasilenko 2012/4/6 Alex Vasilenko <[email protected]> > Les, > > Then I have problems, #onStop() doesn't have principals, even if user is > known. #onStart() doesn't have principals as well, but I think it's because > session is created earlier than principals are associated with it. Correct > me if I'm wrong. > > Thanks, > > Alexandr Vasilenko > > 2012/4/6 Les Hazlewood <[email protected]> > >> Hi Alex, >> >> Yes, that's possible. A session can be created and stopped before it >> is associated with an identity - for example, if the session was >> created by a guest (user, robot, etc), and that guest never logged in >> and their session expired. >> >> For sessions that have been associated with a known user (e.g. via >> login or rememberMe), you would be able to obtain the identity >> (principals). >> >> Just be aware that the onStop method is called before the session (and >> its associated principals) are removed. You can perform 'read' >> operations only (get the principals, check the last access time, etc) >> during this time. You can't perform any 'write' operations (add >> attributes, etc). >> >> HTH, >> >> Les Hazlewood >> CTO, Stormpath | http://www.stormpath.com | 888.391.5282 >> twitter: @lhazlewood | http://twitter.com/lhazlewood >> blog: http://leshazlewood.com >> stormpath blog: http://www.stormpath.com/blog/ >> >> On Fri, Apr 6, 2012 at 10:46 AM, Alex Vasilenko <[email protected]> >> wrote: >> > Les, >> > >> > Is it possible that there won't be principals on user's logout in >> > SessionListener#onStop()? >> > >> > Alexandr Vasilenko >> > >> > >> > 2012/4/6 Alex Vasilenko <[email protected]> >> >> >> >> Simple and powerful :). Thanks, Les. >> >> >> >> Alexandr Vasilenko >> >> >> >> >> >> 2012/4/6 Les Hazlewood <[email protected]> >> >>> >> >>> Hi Alex, >> >>> >> >>> The easiest way to do this is to construct the Subject instance >> >>> associated with the session given to the listener: >> >>> >> >>> Subject owningSubject = new >> >>> Subject.Builder().session(theSession).buildSubject(); >> >>> >> >>> You can interact with the 'owningSubject' instance to acquire what you >> >>> need (e.g. owningSubject.getPrincipal()). >> >>> >> >>> This way, you don't need to know about the implementation details of >> >>> how to acquire the principals (i.e. what session key to use, etc). >> >>> This is good because those implementation details might change over >> >>> time, but your code based on the Subject.Builder should always work >> >>> the same way. >> >>> >> >>> Cheers, >> >>> >> >>> Les Hazlewood >> >>> CTO, Stormpath | http://www.stormpath.com | 888.391.5282 >> >>> twitter: @lhazlewood | http://twitter.com/lhazlewood >> >>> blog: http://leshazlewood.com >> >>> stormpath blog: http://www.stormpath.com/blog/ >> >>> >> >>> On Thu, Apr 5, 2012 at 12:34 PM, Alex Vasilenko < >> [email protected]> >> >>> wrote: >> >>> > Hello, >> >>> > >> >>> > Is there any simple solution to retrieve user's principals in >> >>> > SessionListener? As far as I understand it's abstracted from subject >> >>> > and >> >>> > there's no way to get it simply w/o hacking into shiro code. >> >>> > >> >>> > Why do I need this: >> >>> > We have pretty common use-case: show users, who are online. With >> >>> > SessionListener it would be quite easy - #onStart() mark user as >> >>> > online, >> >>> > #onExpiration() and #onStop() - as offline. >> >>> > >> >>> > Thanks, >> >>> > Alexandr Vasilenko >> > >
