Add support to invalidate the cache of a Shiro Principal

[Sherpard]

Right now, by default, shiro remembrs the credentials submited by the user, to prevent redundant lookups checking the realm / permission mappers and so on.

That's done following the premise that the user credentials can be cached.

If the account is managed by the application itself (Custom realm) and allows the user to change the password, until the cache expires by itself, the user won't be able to use the new credentials.

There's a way to avoid this issue, disabling security cache all together (security -> cache -> false).
But that makes that every request has to be re-authenticated and re-authorized. That's not ideal.

ShiroRealmAdapter parent, has Autorizingrealm.clearCachedAuthorization(PrincipalCollection principals) that would prove beneficial, so the user can manage the cache.

I'll try to work in a controlled way to manage the cache with the mechanism that are in place.

[adrienlauer]

Hi @Sherpard !

It seems to me that the issue of proper security cache invalidation was taken care of in version 3.6.2. The key used to do lookups in the cache was different when populating it and clearing it. This prevented invalidation of the credentials/authorizations on logout, but commit b5ab7e4 fixed that.

Maybe this fix is not enough and having a way of explicitly clearing the cache would be great. Meanwhile, can you check why this fix is not working in your case ? I remember that cache invalidation (even with the fix) is only working upon explicit logout which is not ideal in web application where the session is left to expire. A login with old credentials followed by an explicit logout allows to workaround it, which is still not a great user experience.

At last, one thing that could help you is to set a custom cache manager instead of disabling cache. The security.cache.manager config property allows to configure one (see the commit above for an example).

[Sherpard]

In this use-case, I'm not talking about sessions that expire. I'm talking about a living environment, where the application can manage the user (change it's password / permissions / roles).

If you don't get rid of the cached credentials, the user will maintain it's current roles / permissions, and password, even if it is no longer valid.

I've tried already that version.

I've created a diagram that tries to ilustrate the issue

I agree that a custom Cache could solve the issue, but having a method to use the underlying mechanism that are already present on shiro seems to be a better idea.