>2. If no session ID is in a Cookie header, or you're not using HTTP
>as a transport, the session ID must be attached to the remoting
i>nvocation as an attribute. (That is,
>RemoteInvocation.setAttribute(SESSION_ID_KEY, sessionId); If you use
>Shiro's org.apache.shiro.spring.remoting.SecureRemoteInvocationFactory
>in your client-tier spring remoting configuration, this will be done
>automatically.
I think, second option, it is my case. yes I use
org.apache.shiro.spring.remoting.SecureRemoteInvocationFactory(on client)
with "native" sessions. And in fact sessionId is attached.
if I configure filter like this: /remoting/secure/**=myFilter,
perms[remote:invoke]
It looks like filter`s method isAccessAllowed is somehow bypassed and
execution is going directly to my Spring bean: I get sessionId on server
like this SecurityUtils.getSubject().session.getId() I see its identical to
what I send from client. more of it annotation base security checks like
@RequiresRoles("role2") works fine. Also I noticed that It really does not
matter what filter you configure(authc, basicAuth, user) it works like I say
with any of them.If i do not add "perms[remote:invoke]" to filter config all
of them try to redirect me to login page
Is your client another server application? Or is it say, a desktop
application used by only one user?
> it is desktop application
> I'll try to update the Shiro
>sample webapp that shows a Java WebStart application using remoting to
>call a Shiro-enabled server.
I already have such application based on present web/spring example.
http://kenai.com/projects/shirospring. there several additions to use spring
remoting. I try to add custom filter to that example
can I somehow help you in this tutorial update?
--
View this message in context:
http://n2.nabble.com/Adding-new-custom-filter-to-filters-in-ShiroFilter-tp4188224p4193935.html
Sent from the Shiro User mailing list archive at Nabble.com.
