All browsers handle sessions for you, so on the web client you need *not* check sessions but instead just do form authentication: https://shiro.apache.org/webapp-tutorial.html#step3 (you need not use a JSP page, any POST operation that results in the same HTTP request will work) And then the browser will handle everything from there.
For the desktop client it depends very strongly on which technologies and frameworks you use to decide how best to handle everything. Just do *not* have the desktop client connect directly to your database and handle all the business logic itself. Especially, what you should *not* do is pass the SecurityManager or Subject to your clients. Instead keep all business logic on the server and have the clients just display data and offer buttons and such which trigger methods to run on the server. Assuming that the desktop client and the web client offer the same functionality I suggest you create REST services to create users and such and then simply call those REST methods from within your desktop client and web client alike. Depending on whether the desktop client and web client have already been implemented or not and which frameworks you use this may not be the best option, though. -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581325.html Sent from the Shiro User mailing list archive at Nabble.com.
