Hi, if you manage the web service requests without using a HTTP session you have two things to do: - login subject on explicit login request, - get subject based on submitted id for all other requests.
If you use the shiro session management without HTTP sessions, you can do the following: Login is easy, you probably know that: SecurityUtils.getSubject() and then try to login with subject.login(token) You can then use the shiro session ID to retrieve the subject on subsequent requests, using the subject builder: Subject subject = new Subject.Builder().sessionId(sessionId).buildSubject(); I just see this is nicely documented in the JavaDoc for Subject.Builder: http://shiro.apache.org/static/current/apidocs/org/apache/shiro/subject/Subject.Builder.html Depending on how you integrate this, you may have to bind the subject to the current thread yourself for subsequent calls to SecurityUtils.getSubject() to work with the built subject. Regards, Andreas On 29.03.2012 21:07, coleslaw wrote: > Sorry the subject isn't really clear here... > > I would like to make a web service which uses Shiro for Auth-n/Auth-z and > session management. However, I don't want it to use the underlying > HttpSession to figure out who returning users are as using cookies in a > webservice is generally regarded as a no-no (for example, SMTP has no > concept of cookies...) > > So what I would like to do is this: > * Have a service which takes a username and password > * Create a UsernamePassword token given those credentials. > * If the user is authenticated, return them a session ID (or similar token) > * On subsequent requests, they pass that session ID (or similar token) > * Get the session/subject based on that session ID (or similar token) > > I'm unclear how SecurityUtils.getSubject() might do this in my situation. Do > I need to create a new Realm which could take either a UsernamePassword > token and authenticate using some downstream (JNDI, LDAP, JDBC, etc.) realm > OR another type of token to see if the token is still valid? > > Or would I authenticate the user using UsernamePasswordToken, then get their > session using subject.getSession(), return to the user the result of > Session.getId(), then on subsequent requests, get their session ID they > sent, then just look up the Session? Once I have that session, how do I get > the Subject that holds that session ID? > > Thanks in advance. > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Sorta-HTTP-Session-Management-in-HTTP-Session-tp7418918p7418918.html > Sent from the Shiro User mailing list archive at Nabble.com.
