Hi Jean-Charles, I'm using Flex RPC supported by Shiro right now in a very large Flex enterprise product. I'm kinda slammed today (and possibly tomorrow - doing a production rollout), but I promise to write up how we've done this.
We're using the normal AMF-over-HTTP. Since it is HTTP based, the ShiroFilter intercepts all requests which allows session association based on a cookie. That is how the Subject is bound to the current thread in HTTP environments by default. This usually works just great for any security checks you want to do during the request invocation. Is your scenario that you say, asynchronously trigger off a message somewhere else (e.g. JMS) and that processing must access the Subject's identity? - Les On Thu, Jul 9, 2009 at 3:46 AM, jcvidal <[email protected]> wrote: > > Hi > > I'm using a Flex client using RPC and a web server with a Spring-like bean > (singleton). > > Broadly speaking, when i call a method in Flex (says 'doit()'), the Flex > Servlet calls the doit() method in the bean. > > So, when i authenticate, i do a SecurityUtils.getSubject(), then a > subject.login(). And the Subject is stocked in the ThreadContext. > > BUT, when furthermore i want to do something else (get a role for example), > i call SecurityUtils.getSubject() and the subject cames from the > ThreadContext. > > There is a problem : The Thread is not the same during the two calls, so at > the second time, the SecurityUtils.getSubject() returns a "empty" subject. > > I'm using a DefaultSecurityManager, and obviously no JSecurityFilter. > > So is there a way to fix this trouble ? > > > Sincerely > > Jean-Charles > -- > View this message in context: > http://n2.nabble.com/SHIRO-and-Flex-RPC-tp3230066p3230066.html > Sent from the Shiro User mailing list archive at Nabble.com. >
