Could be that I miss something then. What you said is actually what I'm also trying to do: Do the authentication based on the Cookie and use AOP for JAXRS resources.
I started by modifying the org.apache.shiro.guice.web package in order to create a setter on the WebGuiceEnvironment class to set the ServletContext. I extend a bit the GuiceShiroFilter in order to create an AuthenticationToken based on the received cookie and login the current subject (the authentication is resolved in a specialized Realm). One other thing I had to do, was to set a DefaultWebSessionManager on the created DefaultWebSecurityManager, otherwise I get into some exceptions : java.lang.IllegalArgumentException: SessionContext must be an HTTP compatible implementation. The solution I got from http://shiro-user.582556.n2.nabble.com/Subject-Builder-Exception-SessionContext-td7577512.html In this way, the resource authorization seems to work. What I observed is that it still works even if I don't explicitly set the ServletContext in the WebGuiceEnvironment. Which means the ServletContext is not even used so the created Jira issue makes even more sense. I checkout the SVN repository and I hope I'll have a bit of time to create a patch for this JIRA issue you created. Would be good to have a solution for this, so I don;t have to maintain it with the next Shiro releases. Thanks, -- View this message in context: http://shiro-user.582556.n2.nabble.com/Why-is-Shiro-assuming-that-you-already-have-a-server-running-tp7578017p7578040.html Sent from the Shiro User mailing list archive at Nabble.com.
