Note to all following this thread: I've just updated the codebase to provide out-of-the-box web support for this via a 'noSession' filter added to the default filters pool. It can be used in filter chains, for example
[urls] ... /rest/** = noSession, authcBasic The 'noSession' filter will prevent both Shiro and application developers from creating a new session for that particular filter chain. Please see the last few comments on https://issues.apache.org/jira/browse/SHIRO-266 for more details. This should provide an out-of-the-box solution for anyone doing REST or SOAP so they don't have to implement a web-specific SessionStorageEvaluator themselves. Feedback welcome. Cheers, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com
