Hello everyone,
I noticed that the `login` method on DefaultSecurityManager always creates a
session.In my opinion, this is not always useful; for example a http-basic
authenticated API-clientmight not need a session. I tried to use
`DefaultSubjectContext#setSessionCreationEnabled(false)`before creating the
Subject that I want to login. But this setting is not considered.
So my question is:Is this behavior intentional? If so, what is the reasoning?
And is there a way to prevent Shiro fromcreating a session after authentication?
Here's how I tried it in more detail:
var securityManager = new DefaultSecurityManager();
var ctxt = new DefaultSubjectContext();ctxt.setSecurityManager(securityManager);
ctxt.setSessionCreationEnabled(false);
var subject = securityManager.createSubject(ctxt);// the subject is now a
`DelegatingSubject` with `sessionCreationEnabled == false`
subject.login(token); // calls securityManager#login// The login call above
caused the creation of a session. The property `sessionCreationEnabled` was
ignored.
Thanks in advance for your help,Claudio
