Hi, I am using 'core' shiro (not spring based) and would like to do the following but am not sure how to achieve it:
*Case A:* Users will log into the system using a username and password (UsernamePasswordToken). This authentication takes place once and after logging in a persistent session will be created (this session will be deleted once logged out our timed out). This session has an id which is used for future requests. *Case B:* User information will be passed in a HTTP header (SSOToken) and the user will be 'authenticated' every time. I can achieve either of the above scenarios by configuring the security manager (my realm can handle either type of login token). *Problem:* The problem is I need the code to handle both case A and case B at the same time. Handling the login token is not a problem but I am not sure how to handle the session. What I would like to do is for case A create a persistent session and for case B create a throw away in memory session (or no session at all). *Possible Solutions:* If there was a way to link the session management to a realm then perhaps I could use two different realms (one for the username/password and the other for the sso token). Perhaps there is a way to write a custom session manager that will create different types of session depending upon the context. Any suggestions? Cheers, Stuart
