I'm fairly new to shiro, so here's my question:
I've implemented Shiro into an application using Spring WebMVC / Spring Framework (4.x)on a Tomcat 8 container. The Roles and Permissions are working fine so far, the login, too, but Problem is, that sessions are still working when I redeploy my war-file / stop/restart the server, which is not intended here.
Would be great to get a hint what I have to do to implement something like an "auto-logout" of all logged-in users after a redeploy/restart of the server, e.g. redirecting to loginpage and showing a modal or s.th. saying "you've been logged out due to [reasons]".
Best regards, Dominik
You can use the SessionDAO interface, but you need to do extra configuration to have shiro use a SessionDAO as described here:
http://shiro.apache.org/session-management.html#SessionManagement-SessionStorage
When you have configured it correctly you can do stuff like:
DefaultSecurityManager securityManager = (DefaultSecurityManager) SecurityUtils.getSecurityManager();
DefaultSessionManager sessionManager = (DefaultSessionManager) securityManager.getSessionManager();
Collection<Session> activeSessions = sessionManager.getSessionDAO().getActiveSessions();
for (Session session: activeSessions){
session.stop();
}
Only, if you want to have a message like you suggest, you cannot do this after you have removed the session as the server has no clue anymore if the browsers session was logged out.
Instead what you can do is write something to the db above where the session.stop(), i.e. set a flag that the next request should result in the autologout action, you could probably implement the autologout logic using a Filter.