following situation in short: I'm using Shiro together with Vaadin. As
Vaadin supports multiple tabs (each tab is a separate UI instance,
independent from each other) in one browser session, I must to reproduce the
same behaviour in Shiro too. That means, I must manage a separate subject
for each browser tab (different users logged into each tab).
>From Vaadin's UI instance (and of course from the http request paramters) ,
I get a unique embedId to distinguish each tab. So, theoretical it should
not be a problem to hold multiple independent subjects in one session.
What I've done so far is extending SecurityManager, SubjectContext,
SubjectDAO, Subject/-Factory. The idea at the end is, to not only handle two
keys DefaultSubjectContext.PRINCIPALS_SESSION_KEY and
DefaultSubjectContext.AUTHENTICATED_SESSION_KEY for storing the subject's
state in the session. Instead of this, I will create for each browser tab a
new pair of these keys and adding the Vaadin's embedId to the key name. So I
have a separate principal key and authenticated key for each tab stored in
All this seems to work quite well when I debug, but the only thing I
struggle a bit is the static SecurityUtils.getSubject(). This method always
returns the Subject of the ThreadContext if it is already stored there. But
exactly here, it should return a tab dependent Subject. Unfortunately, I
can't extend the SecurityUtils, because it is static. Of course, I can write
my own util class for the tab related Subject. But the
SecurityUtils.getSubject() is also used inside the Shiro framework and also
in the Shiro extension package Pac4j which I use (SAML - stuff).
Now I thought about extending my MultiTabSubject in such a way, that it
holds the state of all Subjects of it's session and then decides which state
it should return when asking for principal and authenticated state. All the
other Subject's properties should share the same states. That means, my own
MultiTabSubject works like a decorator. But I'm not really sure, if this
works without any problems together with the SecurityManager and all it's
Does anyone of you has a better idea, how to do this? Or is this a dangerous
approach at all? Thank you very much for any input.
View this message in context:
Sent from the Shiro User mailing list archive at Nabble.com.