Hi Francesco, The suggested settings work if you're using the IniShiroFilter, which is generally assumed to exist in any web application. It sounds like you're not using it - in which case, then yes, you'll need to do exactly what you've described.
Shiro's Spring support's SecureRemoteInvocationExecutor is another great example to follow if building your own custom RPC endpoint mechanism if you're not using the IniShiroFilter: https://svn.apache.org/repos/asf/shiro/trunk/support/spring/src/main/java/org/apache/shiro/spring/remoting/SecureRemoteInvocationExecutor.java The key point is that the ShiroFilter implementations, SecureRemoteInvocationExecutor and essentially any other RPC/request interceptor needs to do 4 important things: 1. Acquires the session id (or perhaps other identifying data) from the RPC/request payload, so can know who is making the request. 2. Builds the Subject based on the payload data, usually using the Subject.Builder (or WebSubject.Builder). 3. Binds the subject to the thread before continuing. 4. Unbinds the subject from the thread if the request/method/whatever is invoked or fails. Steps 3 and 4 are done automatically if using the Subject.execute method and is generally the preferred approach. See the SecureRemoteInvocationExecutor source code to see an example. Cheers, Les On Tue, Jan 4, 2011 at 7:02 PM, Francesco Pasqualini <[email protected]> wrote: > Hi Les, > thanks for your reply. > As you seen in my auto reply I found a working solution. > Then I tried the settings you suggested and it does'n work. > It give me the following exception: > Property 'sessionMode' does not exist for object of type > org.apache.shiro.mgt.DefaultSecurityManager. > (with securityManager.sessionMode = native) > I tried another thing. > I disabled the cookie in the browser and my solution works perfectly too. > (without securityManager.sessionMode = native) > My working solution is: > Empty shiro.ini except for [user] section > Login: > currentUser = new Subject.Builder().buildSubject(); > currentUser.login(token); > currentUser.getSession(true); > Retrieve Session by sessionID (logged in user) > new > Subject.Builder().sessionId(sessionId).buildSubject().getSession(); > Logout > currentUser = new > Subject.Builder().sessionId(sessionID).buildSubject(); > currentUser.logout(); > > This is working very well, but is it the correct way to achieve what I want > ? > thanks > > > > > On Tue, Jan 4, 2011 at 9:25 PM, Les Hazlewood <[email protected]> wrote: >> >> Hi Francesco, >> >> Your logic is exactly correct, with one caveat: passing a session id >> manually _only_ works when using Shiro's native sessions. There is no >> way to obtain a session from the ServletContainer based on a session >> ID. Therefore, you need to ensure that you're using Shiro's native >> sessions and _not_ the servlet container sessions (which are used by >> default). >> >> In Shiro's INI, you can configure this easily: >> >> securityManager.sessionMode = native >> # you can also disable the session cookie entirely after native >> sessions are enabled: >> securityManager.sessionManager.sessionIdCookieEnabled = false >> >> That should work. Please let us know how it goes! >> >> Cheers, >> >> -- >> Les Hazlewood >> Founder, Katasoft, Inc. >> Application Security Products & Professional Apache Shiro Support and >> Training: >> http://www.katasoft.com >> >> >> On Sun, Jan 2, 2011 at 5:36 AM, Francesco Pasqualini <[email protected]> >> wrote: >> > Hi, >> > I really like shiro API and approach. >> > I'm trying to use shiro with GWT. >> > But it seems there is a problem. >> > Accordinly to GWT "login security faq" I need to avoid to use, in server >> > side, the session id retrieved from cookie but I must pass it in the >> > payload >> > of the RPC request. >> > >> > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ >> > So I implemented my GWT+shiro as follow: >> > 1) when user start login: obtain the new shiro sessionId, pass to the >> > client, and store in the client to pass back to the server >> > 2) when a logged user do an RPC request : pass the stored sessionId from >> > client to server in the payload of the RPC request, and server side I >> > access >> > the session this >> > way: Subject.Builder().sessionId(sessionId).buildSubject().getSession() >> > But my code does not not work. >> > When the user logout and login again shiro does not provide a new >> > sessionId, >> > but keep using the old one that is no more valid (logout), so I have the >> > following Exception when try to login with shiro >> > (currentUser.login(token)): >> > "There is no session with id [the old ID]". >> > Is there a way a way to tell shiro to not use the sesionId passed with >> > cookies but only the one "programmatically" passed ? >> > thanks
