Hi John, This will work - people have done this in the past. A major caveat however is to ensure that you're using HTTPS during all of the interactions/redirects to help protect against Man-in-the-Middle attack vectors. That is, it should be made as difficult as possible to intercept the session ID.
HTH, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Sat, Feb 4, 2012 at 6:33 AM, John Moore <[email protected]> wrote: > Before I press on much further with the applications I'm working on, I > thought I'd just sound people out here as to whether there is some > fundamental flaw in the way I'm planning to use Shiro. The normal way Shiro > works is that when a user goes to a certain URL, a check is made to see > whether the user is logged in, etc., and if not, they are redirected to a > login page. > > My tweak on this is that I actually have multiple web applications - a > central admin app, where user authentication etc. is handled, plus a bunch > of product-specific applications. I have got session clustering working via > Redis, so sessions will be shared across the various applications. The plan > is that when a user goes to a URL in one of the product-specific apps, if > they are found not to be logged in (via session sharing) they will be > redirected to the admin app, where they will log in and then be redirected > back to the original URL. My assumption behind this is that I should be able > to specify an absolute login URL instead of a relative one and as far as the > browser and Shiro is concerned, this should make no difference (although I > wonder how it would handle the redirect back to the original URL as an > absolute one?). I imagine a bit of URL rewriting will be necessary, which > will be straightforward enough as the requests will probably all be going > through a reverse proxy server. > > Have I misunderstood something fundamental, or does this sound as if it > should work?
