Hello List.
I am developing an EJB application and decided to use Shiro for our
authentication and authorization needs.
There are some questions I do not understand completeley - any help is
much appreciated.
1. I guess SecurityUtil.getSubject() can't work correctly if we are
using multiple JVMs.
How is it possible to authenticate cluster-wide? If the user gets
authenticated in Method A running on instance1 - Method B running on
instance2 will not know about this user. Even if it is the same
request.. right?
2. I am using EnterpriseCacheSessionDAO and implemented my own
CacheManager using Hazelcast.
Is this stuff used if sessionStorageEnabled = false? I do not see any
keys created inside Hazelcast now. But I really do not want Sessions
that live longer than one request... the app should be completely
stateless.
3. If the only way is to enable sessionStorage - how does instance2
know which session ID to retrieve from the DAO?
Do I need to come up with my own solution (using EJB context or
something similar)?
Way too much questions :-)
-ps
