Hello,
First of all, as a new user to Shiro I'd just like to say what an excellent
project it is. We decided to give it a try to implement instance-based
permissions in our web application; it seems much easier to do this in Shiro
than in SPring security ACLs.
We found the migration quite straightforward from SpringSecurity to Shiro,
however we have one outstanding issue we need help with:
Our webapp keeps track of active sessions. Previously, in SpringSecurity we
implemented a HttpSessionAttributeListener and, when a SPring session
attribute was set, we got the principal's details and added them to our
userTracker collection.
Using a similar approach in Shiro fails however - if we listen for the
'org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY'
session object, this is set BEFORE the Principal is set into the subject:
E.g., in DefaultSecurityManager#login
Subject loggedIn = createSubject(token, info, subject); // sets session
attribute
onSuccessfulLogin(token, info, loggedIn); // sets Principal into the
subject
So in our listener class, in method
public void attributeAdded(HttpSessionBindingEvent event),
SecurityUtils.getSubject().getPrincipal() returns null
Is there a recommended way to hook application code into a post-login /post
session-expired event triggered by Shiro, that we can get access to the
Subject's identity ?
Thanks very much,
Richard
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/post-login-listener-tp7577907.html
Sent from the Shiro User mailing list archive at Nabble.com.
