If you allow sessions to be used, and both apps can access the same JSESSIONID (either via a shared cookie or request param) and both apps point to the same session data store, then yes :)
On Tue, Aug 2, 2011 at 2:09 PM, Rui Vilão <[email protected]> wrote: > So you're saying that, for example I use the authc filter in one webapp > (performing thelogin) and then use the UserFilter in another webapp with the > same browser, same session I will be authenticated in the second webapp? > -- > Rui > > On Tue, Aug 2, 2011 at 9:54 PM, Les Hazlewood <[email protected]> wrote: >> >> I'm not sure why you're using the Subject.Builder. >> >> If you subclass the IniShiroFilter (or its parent >> AbstractShiroFilter), the WebSubject is already created and bound to >> the thread for you so that SecurityUtils.getSubject() will work >> correctly (and return WebSubject) instances. >> >> The AbstractShiroFilter will also build the WebSubject according to >> the JSESSIONID as expected - no need to re-implement this yourself. >> >> >> http://svn.apache.org/repos/asf/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java >> >> HTH, >> >> Les
