Boris, validate (if needed all) the permissions before someMethodThatTakesFiveHr(), and then execute the long running task in something like this (example from Nexus https://github.com/sonatype/nexus-public/blob/main/components/nexus-thread/src/main/java/org/sonatype/nexus/thread/NexusExecutorService.java) but also points to some shiro examples.
In short, you will need some "super subject" for long running tasks (hence validate all a priori, should user be able to do things, as system for sure will be able to do so). Again, on example of Nexus, here is the "almighty subject": https://github.com/sonatype/nexus-public/blob/main/components/nexus-security/src/main/java/org/sonatype/nexus/security/subject/FakeAlmightySubject.java HTH T On Wed, Feb 22, 2023 at 4:37 PM Boris Petrov <bo...@profuzdigital.com> wrote: > Hi, sorry for the late answer. I'm not sure I understand you correctly. > Imagine the following case: > > void newFrontendRequest() { > var subject = SecurityUtils.getSubject(); > someMethodThatTakesFiveHoursToComplete(); > var principal = subject.getPrincipal(); > ... > } > > This will blow up on the `getPrincipal` line because this subject's > session has expired and is no longer valid. My question is how to handle > something like that. Of course in my case things are much more complex, the > code is not synchronous, the `getPrincipal` call is not directly after the > long-running operation, etc. > > Thanks! > On 2/17/23 21:01, le...@flowlogix.com wrote: > > Jakarta Batch or MicroProfile Long-Running Actions are some of the best > practices implementations you are looking for. > > On Feb 17, 2023, at 6:33 AM, Arthur Okeke <arthurugochu...@gmail.com> > wrote: > > Since the subject is authenticated at the point you reach the backed then > maybe you can use some kind of impersonation I.e a backend job runs the > long running process on behalf of the subject. > > On Fri 17. Feb 2023 at 09:52, Boris Petrov <bo...@profuzdigital.com> > wrote: > >> OK, thanks for the answer. But in that case how would I handle the >> following case - a request is made from the frontend with some >> authenticated subject. I want to trigger some long-running process and >> do something that requires a valid session after that. The long-running >> process is in a chain of asynchronous stuff and I don't know where it >> will "end" so I can log-out the subject. What are the best practices for >> something like that? >> >> On 2/16/23 19:13, le...@flowlogix.com wrote: >> > I would not recommend it. Unless the Subject is logged out, the session >> would not be garbage collected. >> > Technically this is possible if every subject is ’sure’ to be logged >> out, but that’s is unrealistic in a web application. >> > >> >> On Feb 16, 2023, at 8:01 AM, Boris Petrov<bo...@profuzdigital.com> >> wrote: >> >> >> >> Hi all, >> >> >> >> I'm wondering is it "safe" to call `setTimeout(-1);` on a Shiro >> session. That is, after I do that, is that a memory leak? Whenever the >> `Subject` of that `Session` is GC'd, will the session also be invalidated >> and removed from the session-manager or that must be done manually? Thanks! >> >> >> >> Regards, >> >> Boris >> >> >> > >