Les, I think I figured out how I can get things to work with the JMS use case, but I need to be able to unbind thread from the current subject at login. Is there a way to do this? I saw that there is a way to create an bind/unbind SubjectThreadState object with a subject, but how to I get access to it after I login?
Here're the steps of what I think will work: 1) Send a JMS message to login. Unbind the current thread right away so the session remains in the cache, but the thread is clean. A token with session id is sent back to the client, which will be used for subsequent requests related to the same user. 2) For every request, include the token in the JMS message. Service provider then use this token to get the session and subject. Then bind the subject to the current thread. The issue I saw in my last try as mentioned in the last message in thread is that the thread is associated with a subject permanently until I send a command to logout. This means that any subsequent calls can do everything without having to be authenticated or authorized since Shiro assumed that it's the same user. Because of that, I want to be able to clear the thread state, but leave the session in the cache for further usage. Thanks, Jack -- View this message in context: http://shiro-user.582556.n2.nabble.com/Checking-Session-Timeout-tp6373753p6379566.html Sent from the Shiro User mailing list archive at Nabble.com.
