My comments inline. -- Rui
On Tue, Aug 2, 2011 at 10:36 PM, Les Hazlewood <[email protected]>wrote: > If you allow sessions to be used This is done implicitly and by default right? > , and both apps can access the same > JSESSIONID (either via a shared cookie or request param) This too I believe. > and both apps > point to the same session data store, then yes :) > Now here... I will have to turn Ehcache on right? Something like you say in http://shiro.apache.org/session-management.html although in my case I think it will be programmatically. > > On Tue, Aug 2, 2011 at 2:09 PM, Rui Vilão <[email protected]> wrote: > > So you're saying that, for example I use the authc filter in one webapp > > (performing thelogin) and then use the UserFilter in another webapp with > the > > same browser, same session I will be authenticated in the second webapp? > > -- > > Rui > > > > On Tue, Aug 2, 2011 at 9:54 PM, Les Hazlewood <[email protected]> > wrote: > >> > >> I'm not sure why you're using the Subject.Builder. > >> > >> If you subclass the IniShiroFilter (or its parent > >> AbstractShiroFilter), the WebSubject is already created and bound to > >> the thread for you so that SecurityUtils.getSubject() will work > >> correctly (and return WebSubject) instances. > >> > >> The AbstractShiroFilter will also build the WebSubject according to > >> the JSESSIONID as expected - no need to re-implement this yourself. > >> > >> > >> > http://svn.apache.org/repos/asf/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java > >> > >> HTH, > >> > >> Les >
