haikalrios commented on issue #1344: URL: https://github.com/apache/shiro/issues/1344#issuecomment-1988263034
Thanks @fpapon for your considerations The perspective of this conceptual example is intriguing and prompts us to reflect on session management and authentication/authorization in stateful applications. When we choose to store authentication/authorization data in the session, the session management mechanism, such as Shiro, naturally assumes control over this state. In this context, a JWT token merely as a transporter of credentials, eliminating the need for revalidation once the session is authenticated because the session has the capability to maintain this state, including management of timeout, invalidation, and more. However, in scenarios where the session holds states not related to authentication/authorization, revalidating the JWT Token on each request through a filter would logically make sense. This approach depends on each use case, but fundamentally, it seems sensible to me. For stateless applications, Shiro offers mechanisms like the filter'NoSessionCreationFilter', which naturally facilitate token verific ation on every request, a practice common in REST APIs. Does that make sense? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
