I'm pretty new to Shiro so I wasn't sure if I have done everything correctly.
Here's my scenario:
[Jersey + Jetty + Shiro]
I wrote my code so that if the user is authenticated, there is no need to
login again (just like the one from authentication tutorial). However, what
I'm seeing is that this information may not be shared across threads (I
think that's what happening). Take a look at the print out from the
servletContext log:
2011-03-25 10:22:39.839:INFO:/aan:isRemembered = false
2011-03-25 10:22:39.856:INFO:/aan:login = true
---
2011-03-25 10:22:46.683:INFO:/aan:isRemembered = false
2011-03-25 10:22:46.687:INFO:/aan:login = false
---
2011-03-25 10:22:49.219:INFO:/aan:isRemembered = false
2011-03-25 10:22:49.220:INFO:/aan:login = true
---
2011-03-25 10:22:52.011:INFO:/aan:isRemembered = false
2011-03-25 10:22:52.011:INFO:/aan:login = true
---
2011-03-25 10:22:56.442:INFO:/aan:isRemembered = false
2011-03-25 10:22:56.445:INFO:/aan:login = false
---
2011-03-25 10:22:58.059:INFO:/aan:isRemembered = false
2011-03-25 10:22:58.062:INFO:/aan:login = true
---
2011-03-25 10:22:59.410:INFO:/aan:isRemembered = false
2011-03-25 10:22:59.414:INFO:/aan:login = true
---
2011-03-25 10:23:00.554:INFO:/aan:isRemembered = false
2011-03-25 10:23:00.555:INFO:/aan:login = false
---
2011-03-25 10:23:01.682:INFO:/aan:isRemembered = false
2011-03-25 10:23:01.683:INFO:/aan:login = false
---
2011-03-25 10:23:03.546:INFO:/aan:isRemembered = false
2011-03-25 10:23:03.546:INFO:/aan:login = false
---
2011-03-25 10:23:04.658:INFO:/aan:isRemembered = false
2011-03-25 10:23:04.658:INFO:/aan:login = false
---
2011-03-25 10:23:06.058:INFO:/aan:isRemembered = false
2011-03-25 10:23:06.061:INFO:/aan:login = false
Each pair of isRemembered and login line is basically from the same request.
What I'm seeing here are 2 things:
1) It takes quite a few requests for Shiro to actually understand that user
is authenticated. My assumption is that all threads eventually received the
request and after a while the user is truly authenticated in Shiro.
2) My remember me obviously doesn't work at all since it keeps showing that
the user is not remembered.
My configuration is dead simple and it's pretty much taken from the
tutorial. I have created my own custom realm, which seems to be working fine
(though I have no idea why it has to make 2 separate calls to user
management system, one for doGetAuthenticationInfo and one for
doGetAuthorizationInfo - design flaw?). I believe I'm using native session
since I didn't change any configuration at all. Same goes for the native
cache as well.
[Init code]
Realm realm = new UMRealm();
SecurityManager securityManager = new DefaultSecurityManager(realm);
SecurityUtils.setSecurityManager(securityManager);
[Code for login]
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
token.setRememberMe(rememberMe);
currentUser.login(token);
currentUser.getSession().setTimeout(sessionTimeoutMSec);
}
I know in the tutorial says that I should be doing
SecurityUtils.setSecurityManager(securityManager);, but at this point I'm
not sure what's a better way to initialize the SecurityManager.
Please let me know if anyone has run into the same issue before.
Thanks,
Jack
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Interesting-Behavior-of-isAuthenticated-on-Jersey-Jetty-Shiro-tp6208130p6208130.html
Sent from the Shiro User mailing list archive at Nabble.com.
