Hi Andy, Authentication state must be known by both servers for either of them to know if the currently executing user (aka 'Subject') is authenticated. That is, if you authenticate on one server, how is the other server supposed to know that the user is authenticated unless they share that state somehow?
There are a number of ways to solve your problem - are you looking for an idea of how I would solve this particular problem with Shiro or are you stating that you're tied to the mechanism that is in place now (redirect to another web page on another server then redirect back) and would like to know how to make that work? Regards, Les On Tue, Jul 28, 2009 at 3:20 PM, Andy Tripp<[email protected]> wrote: > Les, > > We're trying to do a centralized authentication service, in which one > machine (one tomcat instance) does authentication and all other machines > just redirect all servlet requests to the authentication machine. If a > user is not authenticated, he gets the login screen, and on successful > login, gets routed from the authentication server back to the URL that > he requested on the application machine. So we'd have each application > do what the sample webapp does: have a ShiroFilter in web.xml which > redirects all URLS to login.jsp. At that point, the > WebUtils.saveRequest() call saves a URL, but it saves it on the > application machine, not the authentication server. Then, the login.jsp > ACTION is to invoke a servlet on the authentication machine, where the > WebUtils.getSavedRequest() would NOT retrieve the saved URL, because it > was saved back on the application machine. > > So it looks like these PassThruAuthenticationFilter and > FormAuthenticationFilter filters don't support centralized > authentication out-of-the-box. Everything works for me now, but only > because I'm running everything on a single machine. > > Does all that make sense? If so, don't we need to be "saving" the URL by > storing it as a hidden field on login.jsp, and setting the > user-requested URL as we send the user to login.jsp? > > Thanks again, > Andy > > p.s. I'm working with Gurpreet, and this is a variation on her recent > post to the list. >
