Hello Shiro users, I am designing a stateless web application (no cookie at all), and have to use Subject.runAs() because subject complete identity is sometimes known lately (in application code rather than in shiro filters). Problem : under the hood, DelegatingSubject.runAs() actually uses session, and calls createSession(true).
I managed to avoid this by changing sm.subjectFactory, and overriding getSession(boolean) : basically I return a kind of HashMap wrapped as a fake org.apache.shiro.session.Session, hoping this object will not be persisted anywhere. I'd prefer to avoid these kind of tricks.... Just inquiring if it makes sense to runAs() without a backing storage allowing releaseRunAs() : the previous identity must be stored somewhere... An alternative would be to use Subject.execute(), but this is not possible because I need to keep subject identity until after application code has returned (thus releaseRunAs() will never be called). Do you have any idea on this point ? Regards, M. Maison
