Hi,
I solved my problem. I discover (disabling coockies) that It wasn't a
cookies related problem.
I changed my code.
When user login I changed a line as follow:
//currentUser = SecurityUtils.getSubject(); // NOT working !
currentUser = new Subject.Builder().buildSubject();
currentUser.login(token);
currentUser.getSession(true);
Now everything works.
Don't know if there is a bug in shiro: it seems that
SecurityUtils.getSubject() retains disconnected session id.
Francesco
On Sun, Jan 2, 2011 at 11:36 AM, Francesco Pasqualini <[email protected]>wrote:
> Hi,
> I really like shiro API and approach.
> I'm trying to use shiro with GWT.
> But it seems there is a problem.
>
> Accordinly to GWT "login security faq" I need to avoid to use, in server
> side, the session id retrieved from cookie but I must pass it in the payload
> of the RPC request.
>
> http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
>
> So I implemented my GWT+shiro as follow:
>
> 1) when user start login: obtain the new shiro sessionId, pass to the
> client, and store in the client to pass back to the server
> 2) when a logged user do an RPC request : pass the stored sessionId from
> client to server in the payload of the RPC request, and server side I access
> the session this
> way: Subject.Builder().sessionId(sessionId).buildSubject().getSession()
>
> But my code does not not work.
> When the user logout and login again shiro does not provide a new
> sessionId, but keep using the old one that is no more valid (logout), so I
> have the following Exception when try to login with shiro
> (currentUser.login(token)): "There is no session with id [the old ID]".
>
> Is there a way a way to tell shiro to not use the sesionId passed with
> cookies but only the one "programmatically" passed ?
>
> thanks
>
>
>
>
>
