It is not the Subject, but the SecurityManager which is based on the machine.
So, the result of subject.isAuthenticated() on one machine can differ from
subject.isAuthenticated() on another machine even for the same instance of

What 'getSubject' returns is entirely dependent on your configured realms
(which are managed by the SecurityManager) and whether they use a cache or
not. So, if you send the subject from the client to the server, it might
behave differently on the server than on the client - a subject might be
authenticated on the client but not on the server because the states of the
two SecurityManagers differ.

Generally speaking the Shiro libraries should only be part of the server
side application. The client should never use them if it is to authenticate
against a server. The only exception to this rule I can think of is an
offline capable Android app, but then you would need to synchronize (large)
parts of your database between server and clients, anyway.

View this message in context:
Sent from the Shiro User mailing list archive at

Reply via email to