Hello, thank you for your detailed answer! 1. I can inform you it is not a bug. I simply forgot to use this filter in my [urls] section. After I changed
[urls] /* = authc to [urls] /* = ownFilter everything worked as expected. 2. Thanks for the information, I changed my code as suggested. 3. If I understood you correctly, you say that if my EJB and War Container are deployed on the same machine I could simply use use SecurityUtils.getSubject(); without further configuration? This would be really create because currently this is our main UseCase. But if I would use the EJB Container with remote method invocation for example by a "normal" java application or a War deployed on a different machine using the @Remote Interfaces from SessionBeans I need to develop my own bind/unbind mechanism to access the Subject. Correct? Also I now have another Question to this EJB Topic. Would it be also a correct solution in a Remote Situation if the caller of the remote method simply sends the password and username of the Subject (encrypted of course) to the EJB Container, the EJB Container authenticates the user again on the same realm as the caller, checks his rights, performs the methods, if the user is allowed to, logged the use out, return the result, if any, to the caller? This approach sounds easier for me at the moment but maybe this is because I never did AOP before in my life. If we will develop something generic for ejb container I can't assure you that my company would allow me to donate the code to this project but I promise to ask. So again thanks for all the information! -- View this message in context: http://shiro-user.582556.n2.nabble.com/Questions-after-first-steps-with-Shiro-tp5525922p5529190.html Sent from the Shiro User mailing list archive at Nabble.com.
