Acquiring a Subject by session ID only works if using Shiro native sessions and only if the session that you're referencing is still valid (it hasn't stopped or expired).
This implies that the session ID you've acquired came from a previous interaction with a session, that is: String sessionID = subject.getSession().getId(); //make this available for use later somehow //later: String sessionId = //get session ID from somewhere Subject.Builder builder = new Subject.Builder(securityManager); builder.sessionId(sessionId); Subject subject = builder.buildSubject(); Don't use the SimpleSession - it is there for EIS implementation concerns only, and you would only ever access that class directly if you were writing a SessionDAO. Finally, this all assumes that the session creation code (subject.getSession().getId()) and the code that re-builds the subject (builder.buildSubject()) are using the SAME SessionManager (which is wrapped by the SecurityManager instance). Is your session creation code and subject building code happening in two different JVMs or applications? - Les On Fri, Dec 18, 2009 at 3:55 AM, Jason Eacott <[email protected]> wrote: > Hi all, > I'm having some trouble using Shiro, any help appreciated. > I've created a simple MethodInterceptor that appropriately wraps my code and > tries to setup the Shiro subject & session etc. > I'm in a standalone (not web) spring environment, I dont have any IPaddress > information, but I do have a string I want to use as a SessionId. > > I thought duplicating the code from the SecureRemoteInvocationExecutor would > do it, but it doesnt. > > SecurityManager securityManager = > this.securityManager != null ? this.securityManager : > SecurityUtils.getSecurityManager(); > > Subject.Builder builder = new Subject.Builder(securityManager); > > builder.sessionId(MySessionId); > > Subject subject = builder.buildSubject();//fails here with session doesnt > exist > > so I found a thread that hinted at something so I tried this instead: > SecurityManager securityManager = > this.securityManager != null ? this.securityManager : > SecurityUtils.getSecurityManager(); > > SimpleSession session = new SimpleSession(); > > session.setId(MySessionId); > Subject subject = new > Subject.Builder(securityManager).session(session).buildSubject(); > > this works, but when its called again with the same MySessionId the session > is recreated here so nothing sticks. > > I'd very much appreciate an example of how this is supposed to be done. > how does the principle get set etc? > > > thank you. > Jason. > > > > > > > > > > > > > > >
