You can also play with AbstractValidatingSessionManager and SessionValidationScheduler to scheduled the clean up
regards,. François [email protected] Le 05/11/2020 à 21:52, Brian Demers a écrit : > This isn't something Shiro covers directly, but it possible with a > little custom code > > You could write a custom SessionDAO, or you could use an existing one, > and just access the data store to query what you need. For example, if > you used a DB, you could just query the DB. It should be similar with > a something like Hazelcast too. > > On Thu, Nov 5, 2020 at 3:41 PM Alex Orlov <[email protected] > <mailto:[email protected]>> wrote: > > Do I understand you right — you are talking about implementing > custom SessionDAO > and adding it to session manager? > > sessionDAO = com.foo.my.SessionDAO > securityManager.sessionManager.sessionDAO = $sessionDAO > > So, I always can a) get events when subject logs in (create) and > logs out (delete) 2) find currently logged in Subjects? > > > -- > Best regards, Alex Orlov > > > > Четверг, 5 ноября 2020, 23:12 +03:00 от Benjamin Marwell > <[email protected] <mailto:[email protected]>>: > > It depends. > > I use jwt tokens. No chance here to invalidate them, but they > get invalidate pretty quickly anyway. > > But you can use any *distributed* session storage you like: a > DBMS, a memory grid like hazelcast, or create your own local > storage and sync them via jGroups, or even EJBs. It doesn't > matter as long as all of the nodes use the same single or > synchronously updated storage. > > You can then iterate over all sessions in one of the nodes or > via a sidecar container/app and invalidate them. > > Just make sure you enter the session storage class in the > shiro.ini. > > HTH > Ben > > On Thu, 5 Nov 2020, 20:47 Andreas Reichel, > <[email protected] > > <//e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>> > wrote: > > Good evening Alex, > > in my understanding this is not possible: Shiro works on > the client side and provides an abstraction of > authenticating/authorizing a client against a server. > But you look for a registry of sessions on the server > side. That should not be Shiro's concern. > > Best regards > Andreas > > > On Thu, 2020-11-05 at 22:42 +0300, Alex Orlov wrote: >> Hi all, >> >> Could anyone say, how I can to get all logged in >> subjects. For example, Subjects >> have roles, roles have permissions. If in application a >> role were modified dynamically >> (for example in DB), I want to get all logged in >> subjects, iterate them, find those, >> who have this role, collect their principals and call in >> my realm method >> clearCachedAuthorizationInfo(PrincipalCollection principals). >> >> >> -- >> Best regards, Alex Orlov > > > >
