Hello All,
I'm working on a new problem and haven't found a good solution.
We have the ability to lock a user's account which prevents them
from logging in. This is implemented in our custom Realm. However, if
a user is already logged in, they can continue to do things until their
session expires or they logout.
We'd like to be able to boot someone out immediately, but I haven't
been able to find a good way to do this. My main approach was to modify
their session, but that seemed to have no effect on their Subject in
their ThreadContext.
Here are some of the things I tried doing to their session:
SessionDAO sdao = DAOUtils.getFactory().getSessionDAO(); // Get
the custom session DAO
sdao.getActiveSessions();
for (Session s:sessions) {
// Find the session based on the locked user's principal
s.stop();
sdao.update(s);
}
Also tried:
s.setAttribute(org.apache.shiro.subject.support.DefaultSubjectContext.AUTHENTICATED_SESSION_KEY,
false);
sdao.update(s);
And:
sdao.delete(s);
I also tried building a new subject from the session and logging it out:
Subject foreignSubject = new
Subject.Builder().session(s).buildSubject();
foreignSubject.logout();
I think the problem is the real Subject is cached in a ThreadLocal and
not accessible (unless the person locking the account is locking their
own account). The cached Subject doesn't get updated when the session
has changed.
Does anyone have any recommendations or even a good solution to
this problem? I'm sure I'm not the first to want to do this.
Thanks in advance!
Sincerely,
Stephen McCants
--
Stephen McCants
Senior Software Engineer
Healthcare Control Systems
1-877-877-8795 x116
