Thank you for help.
But I still have not clear understanding how it should be implemented in
full circle.
There http://shiro.apache.org/spring.html#Spring-WebApplications
I see only the short description what settings should be done.
This is my settings:
shiro.ini :
*[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
# This is the default value. Change it if your CacheManager configured a
different name:
sessionDAO.activeSessionsCacheName = shiro-activeSessionsCache
# Now have the native SessionManager use that DAO:
securityManager.sessionManager.sessionDAO = $sessionDAO
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
# Configure the above CacheManager on Shiro's SecurityManager
# to use it for all of Shiro's caching needs:
securityManager.cacheManager = $cacheManager
appRealm=com.deviq.banq.engine.shiro.AppRealm
securityManager.realms = $appRealm
[users]
admin=admin,ROLE_ADMIN
[roles]
ROLE_ADMIN = **
As you see I want to use shiro's native session and ehcache.
My web.xml in shiro part:
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>securityFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
As you see the filters are embedded to chain.
I'll try to describe the task step by step.
It is stateless interaction, so I have login form.
Should I still use the shiro filter?
1. REST client wants to access to some method of server.
It sends request including login-password (simple case).
2.Server gets request, takes login-password and try to verify it.
I just take the login-password from request on server side (String login,
String password) and going to verify it by hand.
I want to request the database about this user.
Should I to implement it by myself or there is some predefined shiro
class to fulfill such check?
3. Shiro creates session.
You wrote
/Shiro will create a session for you when the user logs in and set the
JSESSIONID cookie. As long as the client sends back that JSESSIONID cookie
value on every request, the current Subject will reflect the remote user
correctly./
*What settings specifically should be done for creating session? Or you
wrote about web app and it's applicable only to web app having login form?
Probably for stateless interaction I should create this session by using
some code like
Subject requestSubject = new
Subject.Builder().sessionId(sessionId).buildSubject()?*
4. Server gets the SESSIONID and sends it back to client.
*What way can I access to this just created session?
What way I can obtain this SESSIONID (for sending it back to client)? *
5.Client includes session id to every next request. Server finds the
specific for this client session by this id.
*What way I can to find session by SESSIONID?*
I did not find the complete code example. I did not find answers for these
questions.
Could you provide code example.
I hope for your help.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/How-generate-session-id-and-maintain-session-tp7578665p7578671.html
Sent from the Shiro User mailing list archive at Nabble.com.
