Hi,
I'm looking at using shiro in a (swing-based) client/server application,
using a "remoting" approach (like rmi, spring remoting, but this is a
custom implementation as I won't be using shiro's spring support) -- so
the client gets a remote proxy of some service interfaces that the
server exports.
What I'm currently thinking is that authentication will be an explicit
operation that the client can perform, which will result in it acquiring
a session token that can be sent with each subsequent invocation
request. The server will use the session token provided by the client
to add the appropriate subject to the invocation context before the
invocation is made. It looks like I can use shiro's session id as the
session token.
1. Can I create a session without logging in? This might be useful if
we implement some unprivileged client behavior which doesn't require login.
2. If the user logs in and then subsequently logs out (or is timed
out), is the session gone? Is the session id no longer valid? This
would mean that I would have to send a new session id to the client.
3. I understand that I can use the following to look up a subject for a
given session:
subject = new
Subject.Builder(securityManager).sessionId(sessionId).buildSubject();
But what happens if the sessionId is not valid? Will I get a new
(unauthenticated) subject without a session? Will it implicitly create
a session? Will subject construction fail? In my case, if the session
is no longer valid I would need to construct a new session and then
relay the new session id to the caller.
Thanks,
Jim
- shiro session questions Jim Newsham
-
