>> This implies that the session ID you've acquired came from a previous >> interaction with a session, that is: >> >> String sessionID = subject.getSession().getId(); //make this >> available for use later somehow > > so the sessionId is generated for me so I must keep and maintain my own > mapping of mySessionId->SessionId?
The session ID is generated at the time the session is created in the SessionDAO implementation's create() method. If you want to create your own session ID (such as using the full JID), you'll need to create your own SessionDAO implementation. To make this easier in the future, I just created this issue: https://issues.apache.org/jira/browse/SHIRO-122 This will enable custom ID generation capabilities without requiring you to create or subclass SessionDAO implementations. Until that feature is implemented, you'll probably need to create a SessionDAO implementation. You can look at the MemorySessionDAO implementation to see how it generates the session id for ideas. In your case, you'll probably need to bind the full JID to the ThreadContext before creating the session for the first time, and then when the session needs to be created in your SessionDAO implementation, access the ThreadContext to get the full JID and use that then. For example, if subclassing MemorySessionDAO and creating say an XmppMemorySessionDAO, you would just override the generateNewSessionId() method to get the full JID from the ThreadContext and return it. Then just plug this SessionDAO implementation into the configuration: [main] xmppMemorySessionDAO = com.my.pkg.XmppMemorySessionDAO securityManager.sessionManager.sessionDAO = $xmppMemorySessionDAO > please advise my best approach, I am trying to use Shiro to manage > interactions with XMPP users in 2 distinct ways. > 1) pure XMPP client is connecting so I want to use the bare JID (eg > [email protected]) as the principle username, and the full JID > ([email protected]/resource)+chatThreadId as the sessionId. > no password exists, and no ip address is available so since you are changing > InetAddress to string I would like to store the full JID in this field as > its the nearest thing I have (is this ok?) Sure, you could do this although it would be a little strange since the attribute is called 'host'. Whatever works for you though ;) > each time I receive a request I need to discover the appropriate subject by > sessionId as would normally be done by any servlet engine etc, but I really > dont follow how I should do this? After your custom SessionDAO is implemented as described above and configured, you could then do the following at runtime (I assume as soon as you receive an XMPP call, immediately before doing anything else): Subject.Builder builder = new Subject.Builder(securityManager).sessionId(theFullJID).buildSubject(); Subject xmppClientSubject = builder.buildSubject(); //Execute the rest of the thread as that subject: xmppClientSubject.execute( new Runnable() { public void run() { invokeMethod(); //or whatever else you want to do as the subject } }); Or you could execute a Callable instead if you need to catch exceptions or return a value. > oh and > 2) I also need a second variation which expects an XMPP connection also, but > the user will be determined and authenticated by Oauth signature. sessionId > in this case would be connectinguserFullJID+oauthUserBareJID The session IDs can be constructed differently as long as all session IDs are always unique (across all sessions, no matter how they are initiated). > unfortunately I have no possible way to store a Shiro generated sessionId on > the client side, I can only use what is already available. XMPP does not > support cookies or anything similar (unless the client is connecting using a > custom client app which mine certainly will not be), so I want to seed the > session with my own sessionId, can I do this? Yep, see the above comments about the SessionDAO approach. Try these things out and let us know how it goes. Feel free to ask questions along the way! Best, Les
