Hello Shiro Users I am trying to get my head around how session handling happens in Shiro-Web. Looking at the code, there does not seem to be any code in the filters that sens any information to the securitymanager that has to do with sessions. (Looking at org.apache.shiro.web.filter.authc.AuthenticatingFilter and FromAuthenticationFilter as well as BasicHttpAuthenticationFilter)
How does the Web SessionManagers get this information? I see that i should be able to get the sessions subject like this: http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29 Serializable sessionId = //get from the inbound request or remote method invocation payloadSubject requestSubject = new Subject.Builder().sessionId(sessionId).buildSubject(); But how does the sessionmanager get this session id when it does not seem to be sent from the login filters? What did i miss? Thank you for the help -Martin
