So the problem was not on using the SecurityUtils.* methods. Its my custom dao native session implementation that was faulty, causing the authenticated flag unpersisted by my custom dao. Thats why its successful authentication didnt last after the request ended and kept returning to the login page.
On Saturday, July 13, 2013, Albert Kam wrote: > The docs in http://shiro.apache.org/spring.html states : > For simplest integration, so that all SecurityUtils.* methods work in all > cases, > make the securityManager bean a static singleton. > DO NOT do this in web applications - see the 'Web Applications' section > below instead. > <bean > class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> > <property name="staticMethod" > value="org.apache.shiro.SecurityUtils.setSecurityManager"/> > <property name="arguments" ref="securityManager"/> > </bean> > > And from > http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3ccaatvd4wla_gu_1qofjbloo7ubyolmssa2yrxch-5tq-yzut...@mail.gmail.com%3E, > it says : > > SecurityUtils.getSubject() is mainly a convenience - Shiro can - and does- > work quite well in any environment. If there isn't a thread-per-request > model, the Shiro end-user (or framework developer) just has to do some > extra work to allow an app developer to use something other than > SecurityUtils. > > So, if i dont understand wrongly, > - Setting the securityManager in the xml is actually just fine > - Using SecurityUtils.getSubject() in web environment + native session is > also just fine ? > > I am trying to understand these because i cannot seem to get successful > login to persist between requests. > My case is as follows : > - I am using both the xml snippet above + SecurityUtils.getSubject() + > spring + the latest apache Shiro > - My first access to the server will activate the creation of the session > (without doing any logins) > I can see it inside my db since i am using a custom sessionDAO for this > and it returns the main page > - At the main page, i try login, where the token is authenticated > successfully, > as the output is true for the subject.isAuthenticated() > And then it's redirected to the main page again > - Now when the main page opens, it still says unauthenticated (from the > output of SecurityUtils.getSubject().isAuthenticated()), > even when the session has been created, > and even in previous request, the subject's authentication is successful > (meaning the realm is correct) > > What did i do wrongly here ? > > <http://mail-archives.apache.org/mod_mbox/shiro-user/201211.mbox/%3ccaatvd4wla_gu_1qofjbloo7ubyolmssa2yrxch-5tq-yzut...@mail.gmail.com%3E> > -- > Do not pursue the past. Do not lose yourself in the future. > The past no longer is. The future has not yet come. > Looking deeply at life as it is in the very here and now, > the practitioner dwells in stability and freedom. > (Thich Nhat Hanh) > -- Do not pursue the past. Do not lose yourself in the future. The past no longer is. The future has not yet come. Looking deeply at life as it is in the very here and now, the practitioner dwells in stability and freedom. (Thich Nhat Hanh)
