Sorry the subject isn't really clear here... I would like to make a web service which uses Shiro for Auth-n/Auth-z and session management. However, I don't want it to use the underlying HttpSession to figure out who returning users are as using cookies in a webservice is generally regarded as a no-no (for example, SMTP has no concept of cookies...)
So what I would like to do is this: * Have a service which takes a username and password * Create a UsernamePassword token given those credentials. * If the user is authenticated, return them a session ID (or similar token) * On subsequent requests, they pass that session ID (or similar token) * Get the session/subject based on that session ID (or similar token) I'm unclear how SecurityUtils.getSubject() might do this in my situation. Do I need to create a new Realm which could take either a UsernamePassword token and authenticate using some downstream (JNDI, LDAP, JDBC, etc.) realm OR another type of token to see if the token is still valid? Or would I authenticate the user using UsernamePasswordToken, then get their session using subject.getSession(), return to the user the result of Session.getId(), then on subsequent requests, get their session ID they sent, then just look up the Session? Once I have that session, how do I get the Subject that holds that session ID? Thanks in advance. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Sorta-HTTP-Session-Management-in-HTTP-Session-tp7418918p7418918.html Sent from the Shiro User mailing list archive at Nabble.com.
