Skip to content
This repository has been archived by the owner on Dec 12, 2018. It is now read-only.

Authentication Info to stay in cache after logout #8

Open
mrioan opened this issue Jun 13, 2014 · 3 comments
Open

Authentication Info to stay in cache after logout #8

mrioan opened this issue Jun 13, 2014 · 3 comments

Comments

@mrioan
Copy link
Contributor

mrioan commented Jun 13, 2014

@strieflin requested this feature (see #6)

Regarding cached Authentication: What I want to have is that I don't have to hit the Stormpath servers for every request against my REST API. Hence, I don't want to have the cache evicted, since that would make a round trip to the Stormpath servers necessary again. My current strategy is simply not to perform a logout after processing the request.
@strieflin
Copy link

As of my understanding of the authentication flow, the problem that I described in #7 will persist, if you do the logout and don't evict the cache. On the next REST call with the same user name, the password is not considered for authentication as there is a cache entry for that username that passes the AllowAllCredentialsMatcher. Perhaps, I use the API in an unusual/incorrect way. Otherwise, this is a defect!

@mrioan
Copy link
Contributor Author

mrioan commented Jun 13, 2014

@strieflin the fix I implemented (https://github.com/stormpath/stormpath-shiro/tree/cached_login_eviction_fix) solves that issue by removing the authentication info from the cache altogether after logout. I tried that myself using this fix in this sample application: https://github.com/stormpath/stormpath-shiro-web-sample.
If you can, please give it a try and let me know if the issue still persists. There is a slight chance I misunderstood the issue you are describing and thus the error still persists.
Mario

Note: this fix will remove the authentication info from the cache after logout, thus you will have round trips to the Stormpath servers necessary again in every login. The feature for "keeping authc info in cache after logout" will be treated here, in this issue #8.

@strieflin
Copy link

I'm on vacations for the next two weeks. However, I will give your fix a try after I'm back. To be clear, I am confident that your fix solves the issue of cache eviction on logout! However, when issue #8 is resolved without changing the code in the way I described in the comment on issue #7 (or something similar), the problem I described probably persists.

Regarding your note: That said and regarding my analysis of the authentication flow, it seems to me that using authentication caching with a REST service, i.e. no state -> no sessions, makes no sense as I have to go through the login/logout cycle on each request which will then evict the cache, which will, as you mentioned above, make another round trip necessary :-(

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrioan @strieflin