Ok so that didn't work for me. The way I have resolved it is by creating an 'sso session' which I set on the Subject.Builder so that the subject uses that session. My SessionDAO is written so that it does not persist any 'sso' sessions.
Cheers, Stuart On Mon, Nov 18, 2013 at 4:38 PM, Stuart Broad <[email protected]> wrote: > I haven't tested this yet but I think the solution will be to use > Subject.Builder: > > .sessionCreationEnabled(false) > > > On Fri, Nov 15, 2013 at 3:34 PM, Stuart Broad <[email protected]> wrote: > >> Hi, >> >> I am using 'core' shiro (not spring based) and would like to do the >> following but am not sure how to achieve it: >> >> *Case A:* >> Users will log into the system using a username and password >> (UsernamePasswordToken). This authentication takes place once and after >> logging in a persistent session will be created (this session will be >> deleted once logged out our timed out). This session has an id which is >> used for future requests. >> >> *Case B:* >> User information will be passed in a HTTP header (SSOToken) and the user >> will be 'authenticated' every time. >> >> >> I can achieve either of the above scenarios by configuring the security >> manager (my realm can handle either type of login token). >> >> >> *Problem:* >> The problem is I need the code to handle both case A and case B at the >> same time. Handling the login token is not a problem but I am not sure how >> to handle the session. What I would like to do is for case A create a >> persistent session and for case B create a throw away in memory session (or >> no session at all). >> >> *Possible Solutions:* >> If there was a way to link the session management to a realm then perhaps >> I could use two different realms (one for the username/password and the >> other for the sso token). >> >> Perhaps there is a way to write a custom session manager that will create >> different types of session depending upon the context. >> >> >> Any suggestions? >> >> Cheers, >> >> Stuart >> > >
