The servlet spec mandates that if cookies are disabled, "URL rewriting may be used by the server as the basis for session tracking". The 'server' here is the servlet container or the swfUpload plugin acting as one.
If using this technique, the "session ID must be encoded as a path parameter in the URL string.". For example: http://www.somedomain.com/anyPage.htm;JSESSIONID=<session ID here> So, if the swfUpload plugin sees a JSESSIONID cookie, and appends that as a query parameter, this _should_ work out of the box with any servlet container. If it does not, the swfUpload plugin might not be compliant with the servlet specification and I recommend that an issue be raised with that plugin to fix it. That being said, Shiro will automatically check for a query parameter named JSESSIONID if it can't find a cookie. So, if you use the Shiro 'native' session mode, as Peter pointed out, and the swfUpload plugin translates the JSESSIONID cookie to a query paramter, it should work. But if it doesn't work with the normal servlet container, it may not work with Shiro since Shiro adheres to the spec. You'd have to try and find out, but it smells like something might be weird with the swfUpload plugin... HTH, Les On Wed, Sep 23, 2009 at 4:22 AM, Peter Ledbrook <[email protected]> wrote: > Forwarded from the Grails mailing list. As far as I'm aware, the > session is managed by the servlet container. I have no idea how you > could restore the servlet session. You may have to use Shiro's session > instead, which is enabled with this configuration option: > > security.shiro.session.mode = "shiro" > > The default value is "http". You probably have to do some other stuff > to get your upload working, but I don't know what. Hopefully one of > the real Shiro experts can help. > > Cheers, > > Peter > > > ---------- Forwarded message ---------- > From: Finn Herpich <[email protected]> > Date: 2009/9/22 > Subject: [grails-user] I want my cookie back (shiro) > To: [email protected] > > > Hi *, > > I'm currently playing around with swfUpload (http://swfupload.org) in > an application secured via the shiroPlugin. > > So swfUpload has this nice plugin which enables it to send the cookies > (needed for shiros session handling afaik) in addition to the uploaded > file. > But, in the swfUpload it says: > "Note that this plugin sends the cookies name/values in the POST or > GET. On the server side they will not be accessible as cookies. Some > frameworks that automatically check cookies for session or > authentication values still will not be able to find the values." > > My question here is: where can I place some code to restore the cookie > with the session-id from the POST/Get parameter? > > Cheers > > > Marfinn Software GmbH > Firmensitz: Endenicher Straße 262, 53121 Bonn > Registergericht: Amtsgericht Bonn, HRB 16233 > Geschäftsführer: Martin Hensel, Finn Herpich > > > --------------------------------------------------------------------- > To unsubscribe from this list, please visit: > > http://xircles.codehaus.org/manage_email >
