I haven't tested this yet but I think the solution will be to use Subject.Builder:
.sessionCreationEnabled(false) On Fri, Nov 15, 2013 at 3:34 PM, Stuart Broad <[email protected]> wrote: > Hi, > > I am using 'core' shiro (not spring based) and would like to do the > following but am not sure how to achieve it: > > *Case A:* > Users will log into the system using a username and password > (UsernamePasswordToken). This authentication takes place once and after > logging in a persistent session will be created (this session will be > deleted once logged out our timed out). This session has an id which is > used for future requests. > > *Case B:* > User information will be passed in a HTTP header (SSOToken) and the user > will be 'authenticated' every time. > > > I can achieve either of the above scenarios by configuring the security > manager (my realm can handle either type of login token). > > > *Problem:* > The problem is I need the code to handle both case A and case B at the > same time. Handling the login token is not a problem but I am not sure how > to handle the session. What I would like to do is for case A create a > persistent session and for case B create a throw away in memory session (or > no session at all). > > *Possible Solutions:* > If there was a way to link the session management to a realm then perhaps > I could use two different realms (one for the username/password and the > other for the sso token). > > Perhaps there is a way to write a custom session manager that will create > different types of session depending upon the context. > > > Any suggestions? > > Cheers, > > Stuart >
