Hello
I try to use shiro to secure a gwt application. I meets a very strange
problem, probably a bug. For simple testing, I created a servlet with only
this code.
public void service(ServletRequest request, ServletResponse response)
throws ServletException, IOException {
logger.debug(request.getParameter("username"));
logger.debug(request.getParameter("password"));
Subject currentUser = SecurityUtils.getSubject();
logger.debug(currentUser.getSession().getId());
if(!currentUser.isAuthenticated()) {
logger.debug("User is not authenticated. Try to
authenticate");
UsernamePasswordToken token = new
UsernamePasswordToken("admin",
"admin");
currentUser.login(token);
}
logger.debug("Is user authenticated ?" +
currentUser.isAuthenticated());
logger.debug(currentUser.getPrincipal());
logger.debug(currentUser.getSession().getId());
}
When I call the servlet directly, authentication succeed but it is not
persisted. currentUser.isAuthenticated() is always false in other call. Here
are 2 logs for this
http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-1-log.txt
direct-call-1-log.txt
http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-2-log.txt
direct-call-2-log.txt
I notice that the session id change for each request. On the other side,
when I pass through a jsp which contains a form, Authentication is
persisted. Here are the logs
http://shiro-user.582556.n2.nabble.com/file/n5386790/form-call-1-log.txt
form-call-1-log.txt
http://shiro-user.582556.n2.nabble.com/file/n5386790/direct-call-3-log.txt
direct-call-3-log.txt
Someone understand why this happen?
Thank you for your help
Didier Bathily
PS: Sorry for my English, i'm French ;)
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Login-not-persisted-in-session-tp5386790p5386790.html
Sent from the Shiro User mailing list archive at Nabble.com.
