Hi Les,
After spending time with Terracotta, I'm back to trying to just use
Shiro to implement SSO across multiple applications. I want to do what
you suggested...Each application will keep session info for that
particular application locally, and there will also be a centralized
machine containing session info for ALL applications. When a user logs
in to one app and then jumps to another app, he shouldn't have to login
again. In that case, Shiro can't find session info locally and should go
look on the central machine.
I have Shiro working on a single machine now:
* in web.xml I have:
[main]
realmA = com.vonage.auth.client.VonageAuthenticationRealm
[filters]
authc =
com.vonage.auth.client.VonageFormAuthenticationFilter
My VonageAuthenticationRealm class extends JdbcRealm and connects via
JDBC to our machine that has username/password info. The
VonageFormAuthenticationFilter class just overrides onLoginFailure() to
give the user an error message and overrides onLoginSuccess() to send
the user on to the URL he requested.
So that's working fine and now I want to:
1) send session info to central server on successful login
2) have Shiro check the central server when it can't find a given user's
session info.
I see in the ShiroFilter javadoc, that I should do this to use "Shiro's
Session infrastructure" rather than HttpSession:
securityManager.sessionMode = shiro
I should do that, right? And then what? Where is Shiro checking for
session info, and how can I tap into that?
Thanks again,
Andy
