> could you please describe this logic. it looks like it is not possible to > use filters when you use spring remote invocation?
The instances configured in the [filters] section are ServletFilters. This means that they can filter Servlet (HTTP) requests. If you are using HTTP for Spring remoting (i.e. HttpInvoker), then the filters will work as expected as long as one of 2 things occur: 1. The sessionId is attached to the request as a cookie. That means the client that initiates the remoting call to the server must ensure the sessionId is in the request's Cookie header. 2. If no session ID is in a Cookie header, or you're not using HTTP as a transport, the session ID must be attached to the remoting invocation as an attribute. (That is, RemoteInvocation.setAttribute(SESSION_ID_KEY, sessionId); If you use Shiro's org.apache.shiro.spring.remoting.SecureRemoteInvocationFactory in your client-tier spring remoting configuration, this will be done automatically. Is your client another server application? Or is it say, a desktop application used by only one user? I'll try to update the Shiro sample webapp that shows a Java WebStart application using remoting to call a Shiro-enabled server. - Les
