As a follow up, we found and fixed the problem. We have two WAR files (so two Web Apps) that deploy inside the same Tomcat instance and need "single sign on" between them. That is, if you authenticate to one, your session must work as authenticated for the other (both use Shiro).
We built (for better or worse) our own code that sends updates between the two Web Apps when something changed a session in one or the other. The communication is sent via a network broadcast, which meant both the sender and the intended recipient would get the message. We had a problem with the sender processing its own message and getting confused and then discarding the session information. We fixed it by marking each message as being from a particular Web App and that app would not process its own messages. Hope that helps anyone else who might run into a similar problem. --Stephen -- View this message in context: http://shiro-user.582556.n2.nabble.com/Session-losing-principals-tp7580186p7580451.html Sent from the Shiro User mailing list archive at Nabble.com.
