Yes, I think I potentially can do it that way, but I will need to look into how to do it with the constraints I have currently.
What I'm doing is building a framework so that developer can use it to develop their applications. Doing it my way definitely seems risky since it's possible that developer forget to unbind the thread after each task. Anyway, it seems like I need to unbind the subject from the thread right away after login. What's a proper way of doing that? Do I do subject.execute() on a Callable that doesn't do anything? Right now, logging in without unbinding the thread is opening up a hugh security hole. Any call that is serviced by that thread can "pretend" to be the authenticated user without having to do anything. So I should just ignore this fact and do a check on session ID every time? I guess that will work since nothing that requires user to be authenticated will get executed without session ID. Thanks, Jack -- View this message in context: http://shiro-user.582556.n2.nabble.com/Checking-Session-Timeout-tp6373753p6380344.html Sent from the Shiro User mailing list archive at Nabble.com.
