It is not the Subject, but the SecurityManager which is based on the machine. So, the result of subject.isAuthenticated() on one machine can differ from subject.isAuthenticated() on another machine even for the same instance of 'subject'.
What 'getSubject' returns is entirely dependent on your configured realms (which are managed by the SecurityManager) and whether they use a cache or not. So, if you send the subject from the client to the server, it might behave differently on the server than on the client - a subject might be authenticated on the client but not on the server because the states of the two SecurityManagers differ. Generally speaking the Shiro libraries should only be part of the server side application. The client should never use them if it is to authenticate against a server. The only exception to this rule I can think of is an offline capable Android app, but then you would need to synchronize (large) parts of your database between server and clients, anyway. -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-should-we-go-about-configuring-a-Desktop-Client-with-Shiro-in-the-Server-tp7581322p7581331.html Sent from the Shiro User mailing list archive at Nabble.com.
