The docs in http://shiro.apache.org/spring.html states : For simplest integration, so that all SecurityUtils.* methods work in all cases, make the securityManager bean a static singleton. DO NOT do this in web applications - see the 'Web Applications' section below instead. <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/> <property name="arguments" ref="securityManager"/> </bean>
And from http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3ccaatvd4wla_gu_1qofjbloo7ubyolmssa2yrxch-5tq-yzut...@mail.gmail.com%3E, it says : SecurityUtils.getSubject() is mainly a convenience - Shiro can - and does- work quite well in any environment. If there isn't a thread-per-request model, the Shiro end-user (or framework developer) just has to do some extra work to allow an app developer to use something other than SecurityUtils. So, if i dont understand wrongly, - Setting the securityManager in the xml is actually just fine - Using SecurityUtils.getSubject() in web environment + native session is also just fine ? I am trying to understand these because i cannot seem to get successful login to persist between requests. My case is as follows : - I am using both the xml snippet above + SecurityUtils.getSubject() + spring + the latest apache Shiro - My first access to the server will activate the creation of the session (without doing any logins) I can see it inside my db since i am using a custom sessionDAO for this and it returns the main page - At the main page, i try login, where the token is authenticated successfully, as the output is true for the subject.isAuthenticated() And then it's redirected to the main page again - Now when the main page opens, it still says unauthenticated (from the output of SecurityUtils.getSubject().isAuthenticated()), even when the session has been created, and even in previous request, the subject's authentication is successful (meaning the realm is correct) What did i do wrongly here ? <http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3ccaatvd4wla_gu_1qofjbloo7ubyolmssa2yrxch-5tq-yzut...@mail.gmail.com%3E> -- Do not pursue the past. Do not lose yourself in the future. The past no longer is. The future has not yet come. Looking deeply at life as it is in the very here and now, the practitioner dwells in stability and freedom. (Thich Nhat Hanh)
