Hi Shannon, That is one way to do it, but I think a (much) easier way is to configure this in a configuration mechanism. For example, with shiro.ini:
securityManager.subjectDao.sessionStorageEvaluator.sessionStorageEnabled = false Or you could use Spring or JBoss beans.xml or whatever else you prefer. This prevents Shiro from storing data in sessions for all Subjects - this may or may not be desirable for you if you have a UI for example. For all REST requests, this should be fine however. But note: this only prevents _Shiro_ itself from using the Session for its own storage needs. It does not prevent you (or other developers on your team) from starting a session by calling subject.getSession() or httpServletRequest.getSession(). But you can enforce this as well. If you want to _guarantee_ that sessions won't be used, and not just by Shiro, but _any_ 3rd party framework or even your own development team (which I think is a really good idea if you want to enforce statelessness for a REST API), you should use Shiro's NoSessionCreationFilter: http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/web/filter/session/NoSessionCreationFilter.html This will throw a DisabledSessionException if anyone or anything tries to create a Session - really handy for enforcing statelessness. You'd be surprised by the things that use the session without your knowledge. Note that this will only work if defined _after_ the root ShiroFilter in the filter chain. Any 3rd party servlet that might sit 'higher' in the FilterChain above the NoSessionCreationFilter can still create sessions. This is one of many reasons why we suggest that the ShiroFilter sit at the top of the filter chain and you define all other Filters after it. Finally, this is all covered in documentation: http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%2528Sessionless%2529 and http://shiro.apache.org/session-management.html#SessionManagement-WebApplications HTH, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk On Thu, Feb 7, 2013 at 5:44 AM, shannon <[email protected]> wrote: > Dear community, > > > I am working on a project using Jboss 4.2.3 with Seam framework and Shiro > 1.2. > The architecture is mainly using restful webservices (resteasy). In this > framework, there is a general authenticator, which is called on every single > rest request. Of course, i would like to support multiple > users at the same time, so i decided to deactivate session handling of shiro > by the following code: > > *((DefaultSessionStorageEvaluator)((DefaultSubjectDAO)((DefaultSecurityManager)SecurityUtils.getSecurityManager()).getSubjectDAO()).getSessionStorageEvaluator()).setSessionStorageEnabled(false);* > > The class that is called on each webservice (rest) request is implemented in > the following way: > -----snippet (Authenticator) begin------ > Subject currentUser = SecurityUtils.getSubject(); > UsernamePasswordToken usernamePasswordToken = new > UsernamePasswordToken(username, password); > usernamePasswordToken.setRememberMe(false); > String ipAddress = ""; > HttpServletRequest httpRequest = > ServletContexts.instance().getRequest(); > currentUser.login(usernamePasswordToken); > loginSuccessful = true; > return currentUser.isAuthenticated(); > -----snippet end------- > > My question is now - is this the right way how to do that? > > Many thanx in advance for any suggestion/hint. > > br > shannon > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Shiro-and-Jboss-Seam-2-2-integration-tp7578239.html > Sent from the Shiro User mailing list archive at Nabble.com.
