Les, Thanks for that explanation. When I configure the two authc filters this way, users who are logged into /foo/login are able to access bar/** urls, even though they are not supposed to (since they have not logged into /bar/login) and vice versa.
Is this because the session that was created when the user logged into /foo/login has no context in it, thereby a user accessing /bar/** url with that session cookie is allowed to access those pages? Is there an option to configure how session cookies are generated, so that they contain url context or something? Rama -- View this message in context: http://shiro-user.582556.n2.nabble.com/Multiple-security-managers-and-realms-to-handle-authentication-for-different-sets-of-urls-tp7445068p7458677.html Sent from the Shiro User mailing list archive at Nabble.com.
