Hi: Relatively new to Shiro, am trying to create a simple kind of SSO mechanism -- as simple as possible, doesn't have to be full blown SSO.
A Shiro-secured webapp invokes services (both REST and HTTP) from other webapps, which are not secured. All these apps are currently hosted in the same web container, and so can share context relatively easily. This is no longer going to be the case, as these other (unsecured) webapps are going to be located in different webservers, possibly halfway across the planet. The Shiro-secured webapp uses custom realms and (web) filters and does everything in a web-aware way -- HTTP requests/sessions, and so on. Basically, we need currently authenticated users in the secure app to be persisted in some shared store, and the currently authenticated user as determined by the secure app to be passed along with the requests to the other webapps, so these apps can then call back into the Shiro 'security system' to verify that the specific user has been successfully authenticated. It is possible to use custom/extended filters and realms to share info, but is a minimalistic lighter-weight solution possible? Again, due to distance apart, the performance needs to be acceptable. 'Enterprise' sorts of features and examples like ehcache-backed code are bundled: not sure this solution needs the entire session to be shared across different webapps. Don't think so, but this could change. Any thoughts/suggestions on the best approach for this greatly appreciated. -- View this message in context: http://shiro-developer.582600.n2.nabble.com/SSO-using-Shiro-tp7367470p7367470.html Sent from the Shiro Developer mailing list archive at Nabble.com.
