Shiro code for logging out a different user

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Shiro code for logging out a different user

Richard Wheeldon

Hi,

 

Im running into an issue whereby if  an administrator deletes or remove access from a regular user but theyre currently logged on, the access is retained because its stored in the current session. I can easily logout the current user with Subject.logout() but I cant see an obvious way within Shiro of kicking a session for a different user. Is there a simple way?

 

Regards,

 

Richard

 

Reply | Threaded
Open this post in threaded view
|

Re: Shiro code for logging out a different user

lprimak
The key to this is not to kick the session out but to delete the permissions for this user. 
If the user has no permissions they can't do anything even though the session still exists. 
I believe I had to clear the Shiro cache for the user though but I had distributed cache going. 

On Aug 25, 2017, at 9:42 AM, Richard Wheeldon <[hidden email]> wrote:

Hi,

 

Im running into an issue whereby if  an administrator deletes or remove access from a regular user but theyre currently logged on, the access is retained because its stored in the current session. I can easily logout the current user with Subject.logout() but I cant see an obvious way within Shiro of kicking a session for a different user. Is there a simple way?

 

Regards,

 

Richard

 

Reply | Threaded
Open this post in threaded view
|

RE: Shiro code for logging out a different user

Richard Wheeldon

Thanks. I thought it was doing that but there was a slight glitch,

 

Richard

 

From: Lenny Primak [mailto:[hidden email]]
Sent: Friday, August 25, 2017 4:21 PM
To: [hidden email]
Subject: Re: Shiro code for logging out a different user

 

The key to this is not to kick the session out but to delete the permissions for this user. 

If the user has no permissions they can't do anything even though the session still exists. 

I believe I had to clear the Shiro cache for the user though but I had distributed cache going. 


On Aug 25, 2017, at 9:42 AM, Richard Wheeldon <[hidden email]> wrote:

Hi,

 

Im running into an issue whereby if  an administrator deletes or remove access from a regular user but theyre currently logged on, the access is retained because its stored in the current session. I can easily logout the current user with Subject.logout() but I cant see an obvious way within Shiro of kicking a session for a different user. Is there a simple way?

 

Regards,

 

Richard