Hi everybody, I am a bit lost on how to make the technology mentioned in the subject work. Searching did not reveal information that helped me, so I'm sending this out to the experts.
First of all, let me shortly lay out what I plan to do. I would like to have a servlet container (tomcat or jetty) provide RPCs via Spring HttpInvoker, these calls need to be secured by authentication and authorization. The caller will be a Swing Client (or obviously a lot of these) who also will be responsible for collecting the principal and credential information, ie. they will have a login form that is opened when they are started. No Webstart, the clients will start on their own from a local installation. So what I need to do ist to collect the authentication information, transfer it to the server, perform a Shiro authentication there and then transfer the session reference back to the client, which from then on will add this session reference to all remaining remote calls to have a security context bound to the calls. Or am I already wrong on this part? Now, creating two remote calls with Spring remoting isn't that complicated. In my example I have done an example business call, secured by a permission requirement in the filter chain definition of the ShiroFilterFactoryBean, and an auth call, which is bound to the anon filter (before you're authenticated you are obviously anonymous). But I am having problems to figure out how the session information from the successful subject.login() call on the server is transfered back to the client and then bound to the remoteInvocationFactory for subsequent calls. I tried to return SecurityUtils.getSubject().getSession().getId() as the result of my auth service and then to create a session on the client using Serializable sessionId = authService.login(user, pass); SimpleSession session = new SimpleSession(); session.setId(sessionId); Subject subject = new Subject.Builder().session(session).buildSubject(); so that I could use subject.execute(Callable) around the business call, but for some reason beyond my current understanding no session cookie is added to the request. Can somebody point me to a working example somewhere please? Alternatively I can post what I did so far in more detail, but I did not want to bloat the mailing list in the first place in case there is already a solution at hand. Maybe I'm just missing a point somewhere. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-Spring-HttpInvoker-Swing-Client-how-to-do-tp7577504.html Sent from the Shiro User mailing list archive at Nabble.com.
