Hi all I have an application which uses a WebSecurityManager in conjunction with Apache Wicket. That works all well and good, but now I have encountered a single issue where i need to authenticate a user through a different entrance, which does not have any notion of http sessions. When i try to login a Subject without a session like this:
Subject shiroSubject = null; Subject.Builder subjectBuilder = new Subject.Builder(manager).sessionCreationEnabled(false); shiroSubject = subjectBuilder.buildSubject(); ... shiroSubject.login(new UsernamePasswordToken(user, password)); I tried every permutation of sessionCreationEnabled I get the following exception: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: SessionContext must be an HTTP compatible implementation. at org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:103) at org.apache.shiro.web.session.mgt.ServletContainerSessionManager.start(ServletContainerSessionManager.java:64) at org.apache.shiro.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:152) at org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:336) at org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:312) at org.apache.shiro.mgt.DefaultSubjectDAO.mergePrincipals(DefaultSubjectDAO.java:204) at org.apache.shiro.mgt.DefaultSubjectDAO.saveToSession(DefaultSubjectDAO.java:166) at org.apache.shiro.mgt.DefaultSubjectDAO.save(DefaultSubjectDAO.java:147) at org.apache.shiro.mgt.DefaultSecurityManager.save(DefaultSecurityManager.java:383) at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:350) at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:183) at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:283) at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) I then looked at WebSubject.Builder i can't create a builder without a Request and Response. So the question is: When you are using a WebSecurityManager, how do you authenticate a Subject in a case where there is no Request/Response available? The only way that I can see is to highjack the WebSecurityManager's Authenticator and Authorizer and call their methods directly, completely ignoring the Subject, but that feels so wrong that I am guessing that i am way off :)
