> Yep, this is fairly common. We have a Java Web Start sample > application that you can use for ideas. It uses Spring remoting, but > the concepts are the same regardless of the remoting mechanism - you > just need to ensure that the session ID accompanies the remoting > payload somehow.
I almost forgot - the addendum to this is that there is something on the server side that intercepts the request, constructs the Subject based on the sessionID, binds the subject to the thread, let's the request or invocation continue, and then unbinds the subject from the thread in a guaranteed manner. We prefer that the subject.execute* methods are used to do the automatic binding/unbinding. In fact, Shiro's server-side interception mechanisms do exactly this. Take a look at the SecureRemoteInvocationExecutor[1] 'invoke' method and the AbstractShiroFilter[2] 'doFilterInternal' method implementations and replicate that. Cheers, Les [1] http://svn.apache.org/repos/asf/incubator/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/remoting/SecureRemoteInvocationExecutor.java [2] http://svn.apache.org/repos/asf/incubator/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java
