On Thu, Jul 29, 2010 at 9:06 PM, nivs <[email protected]> wrote: > Great explanation! Thank you for taking the time to respond, very much > appreciated. Burning those key points into my system.
Glad to help! > Something I like to confirm: The subject.getSession() is an application > scope isn't it? I guess it is coz the subject is available in the session > until he his logged out. I'm not sure exactly what you mean by 'application scope' - the session is really its own scope: it is a per-user data context that is tied to that user while they interact with the application or until it times-out due to inactivity. A Shiro session serves the exact same purpose of an HttpSession, but is a bit more robust - it can work with or without a servlet container and can be accessible from any number of clients shared by the same user (e.g. a web browser and a desktop Swing application can share the same session for the same user). > "But be sure to read the Subject#getPrincipal JavaDoc to understand how it > works - especially if you have multiple realms in your application." > > On the above point you made, I had a read of the JavaDocs and I guess what > you were pointing me to was using an application wide unique > identifier(uniqueness)? If possible can you explain what the implications > are across multiple realms in this context please? Sure - the default heuristic is that the first principal returned from the first realm is the application's 'primary identifier'. This implies that the order the realms are defined and made available to Shiro's SecurityManager matters if you want to retain this heuristic. However, if this default heuristic is not suitable, you can program your own implementation of Shiro's AuthenticationStrategy interface and plug that implementation in to the SecurityManager. Implementations of this interface have the 'final say' as to what the primary principal is at the end of an authentication attempt in the 'afterAllAttempts' method implementation. See the PrincipalCollection#getPrimaryPrincipal JavaDoc for more. Cheers, Les
