Hi Les,
thanks for your reply.
As you seen in my auto reply I found a working solution.
Then I tried the settings you suggested and it does'n work.
It give me the following exception:
Property 'sessionMode' does not exist for object of type
org.apache.shiro.mgt.DefaultSecurityManager.
(with securityManager.sessionMode = native)
I tried another thing.
I disabled the cookie in the browser and my solution works perfectly too.
(without securityManager.sessionMode = native)
My working solution is:
Empty shiro.ini except for [user] section
Login:
currentUser = new Subject.Builder().buildSubject();
currentUser.login(token);
currentUser.getSession(true);
Retrieve Session by sessionID (logged in user)
new
Subject.Builder().sessionId(sessionId).buildSubject().getSession();
Logout
currentUser = new
Subject.Builder().sessionId(sessionID).buildSubject();
currentUser.logout();
This is working very well, but is it the correct way to achieve what I want
?
thanks
On Tue, Jan 4, 2011 at 9:25 PM, Les Hazlewood <[email protected]> wrote:
> Hi Francesco,
>
> Your logic is exactly correct, with one caveat: passing a session id
> manually _only_ works when using Shiro's native sessions. There is no
> way to obtain a session from the ServletContainer based on a session
> ID. Therefore, you need to ensure that you're using Shiro's native
> sessions and _not_ the servlet container sessions (which are used by
> default).
>
> In Shiro's INI, you can configure this easily:
>
> securityManager.sessionMode = native
> # you can also disable the session cookie entirely after native
> sessions are enabled:
> securityManager.sessionManager.sessionIdCookieEnabled = false
>
> That should work. Please let us know how it goes!
>
> Cheers,
>
> --
> Les Hazlewood
> Founder, Katasoft, Inc.
> Application Security Products & Professional Apache Shiro Support and
> Training:
> http://www.katasoft.com
>
>
> On Sun, Jan 2, 2011 at 5:36 AM, Francesco Pasqualini <[email protected]>
> wrote:
> > Hi,
> > I really like shiro API and approach.
> > I'm trying to use shiro with GWT.
> > But it seems there is a problem.
> > Accordinly to GWT "login security faq" I need to avoid to use, in server
> > side, the session id retrieved from cookie but I must pass it in the
> payload
> > of the RPC request.
> >
> http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
> > So I implemented my GWT+shiro as follow:
> > 1) when user start login: obtain the new shiro sessionId, pass to the
> > client, and store in the client to pass back to the server
> > 2) when a logged user do an RPC request : pass the stored sessionId from
> > client to server in the payload of the RPC request, and server side I
> access
> > the session this
> > way: Subject.Builder().sessionId(sessionId).buildSubject().getSession()
> > But my code does not not work.
> > When the user logout and login again shiro does not provide a new
> sessionId,
> > but keep using the old one that is no more valid (logout), so I have the
> > following Exception when try to login with shiro
> (currentUser.login(token)):
> > "There is no session with id [the old ID]".
> > Is there a way a way to tell shiro to not use the sesionId passed with
> > cookies but only the one "programmatically" passed ?
> > thanks
>
