Authentication Info to stay in cache after logout

[mrioan]

@strieflin requested this feature (see #6)

Regarding cached Authentication: What I want to have is that I don't have to hit the Stormpath servers for every request against my REST API. Hence, I don't want to have the cache evicted, since that would make a round trip to the Stormpath servers necessary again. My current strategy is simply not to perform a logout after processing the request.

[strieflin]

As of my understanding of the authentication flow, the problem that I described in #7 will persist, if you do the logout and don't evict the cache. On the next REST call with the same user name, the password is not considered for authentication as there is a cache entry for that username that passes the AllowAllCredentialsMatcher. Perhaps, I use the API in an unusual/incorrect way. Otherwise, this is a defect!

[mrioan]

@strieflin the fix I implemented (https://github.com/stormpath/stormpath-shiro/tree/cached_login_eviction_fix) solves that issue by removing the authentication info from the cache altogether after logout. I tried that myself using this fix in this sample application: https://github.com/stormpath/stormpath-shiro-web-sample.
If you can, please give it a try and let me know if the issue still persists. There is a slight chance I misunderstood the issue you are describing and thus the error still persists.
Mario

Note: this fix will remove the authentication info from the cache after logout, thus you will have round trips to the Stormpath servers necessary again in every login. The feature for "keeping authc info in cache after logout" will be treated here, in this issue #8.

[strieflin]

I'm on vacations for the next two weeks. However, I will give your fix a try after I'm back. To be clear, I am confident that your fix solves the issue of cache eviction on logout! However, when issue #8 is resolved without changing the code in the way I described in the comment on issue #7 (or something similar), the problem I described probably persists.

Regarding your note: That said and regarding my analysis of the authentication flow, it seems to me that using authentication caching with a REST service, i.e. no state -> no sessions, makes no sense as I have to go through the login/logout cycle on each request which will then evict the cache, which will, as you mentioned above, make another round trip necessary :-(