OK - thanks Manoj, I'll take a deeper look in the code.
/Bengt 2011/11/9 Manoj Khangaonkar <[email protected]> > Hi Bengt, > > The doFilterInternal method of AbstractShiroFilter starts the chain of > code that > extracts the sessionid from the request, locates the session, creates > the WebDelegatingSubject > whose session is touched. > > To get the behaviour you need, you might need to override some of this code > > Manoj > > On Wed, Nov 9, 2011 at 12:50 AM, Bengt Rodehav <[email protected]> wrote: > > Hello Manoj, > > I use my own subclass of FormAuthenticationFilter. I've changed the > > behaviour of onAccessDenied() so that a 401 is returned since I do not > want > > a redirect to a login URL. It's an Ajax application so I don't want a > page > > reload. This seems to work. > > My first idea was to just have a special GET Url (.../session/checkLogin) > > that the client would call. I assume that the web browser will send the > > session cookie (like it always does). On the server side I'm not clear of > > what exactly happens. However, since there is a last used property on the > > sesssion and I have set the session timeout, I assumed that all calls > within > > a session (determined from the session cookie) would "automagically" > update > > the last used timestamp. Not sure if this is Shiro functionality or > general > > Jetty functionality (Jetty is used for the OSGi http service that I'm > > using). > > It's not clear to me how I can tell (Shiro or Jetty?) that this > particular > > call should not "count". You're saying that subject.isAuthenticated() > does > > not touch the session but I would guess that > > calling SecurityUtils.getSubject() to get the subject needs the session > to > > work. > > When exactly is the last used property updated? > > BTW, I have a "login" method (POST .../session/login) that looks > something > > like this: > > String username = theRequest.getParameter("j_username"); > > String password = theRequest.getParameter("j_password"); > > LoginStatus status = getStatus(); > > if (!getStatus().isAuthenticated()) { > > UsernamePasswordToken token = new UsernamePasswordToken(username, > > password); > > Subject currentUser = SecurityUtils.getSubject(); > > try { > > currentUser.login(token); > > status = new LoginStatus(currentUser.isAuthenticated(), > > currentUser.getPrincipal().toString(), currentUser > > .getPrincipal().toString()); > > HttpSession session = theRequest.getSession(); > > if (session != null) { > > session.setMaxInactiveInterval(mService.getSessionTimeout()); > > } > > } catch (AuthenticationException e) { > > status = new LoginStatus(false, null, null); > > } > > } > > Thus I set the session timeout on the HttpSession after a successful > login. > > /Bengt > > > > 2011/11/8 Manoj Khangaonkar <[email protected]> > >> > >> Hi Bengt, > >> > >> How do you plan on doing checkLogin ? > >> > >> If you use subject.isAuthenticated() , it does not touch the session. > >> > >> If you use an authenticationFilter like the FormAuthenticationFilter, > >> it can detect that the session has timed out > >> and redirect the request to a login url > >> > >> Manoj > >> > >> > >> On Tue, Nov 8, 2011 at 11:59 AM, Bengt Rodehav <[email protected]> > wrote: > >> > Seems like I've been bombarding this list lately. I'm quite new to > Shiro > >> > which is why I ask all these silly questions. Must say that I'm very > >> > pleased > >> > so far. Shiro has turned out to be much easier to use then Spring > Acegi > >> > that > >> > I have been using in the past. > >> > Anyway, I'm using Shiro 1.1 to handle authentication for an OSGi based > >> > web > >> > application using the http service in Apache Karaf. > >> > Currently my web application will return status 401 when trying to > >> > access > >> > resources that requires an authenticated user in case the session does > >> > not > >> > contain an authenticated user. I would like to enhance the web > >> > application > >> > so that the client (the browser) can periodically (e g once a minut) > can > >> > check whether a user is still logged in. That way, if a user leaves > the > >> > application for a while, I can display a login dialog so that the user > >> > can > >> > clearly see that s/he has been logged out. > >> > The problem is that if the client calls my "checkLogin" method in the > >> > context of the current session once a minute then the session will > never > >> > time out since the last used timestamp will be updated on each call. > Is > >> > there a best practice to accomplish this? I'm not sure if it's > possible > >> > to > >> > make a call "outside" of the session. I was thinking about saving the > >> > last > >> > used timestamp in another session attribute and then restore the real > >> > last > >> > used timestamp from my special attribute after invoking my > "checkLogin" > >> > method. Not sure if that would work and thought it might be wise to > ask > >> > if > >> > anyone has done something similar before. > >> > /Bengt > >> > >> > >> > >> -- > >> http://khangaonkar.blogspot.com/ > > > > > > > > -- > http://khangaonkar.blogspot.com/ >
