Howdy, I was just wondering, wrt our issue brought up on this list (and a nice followups) regarding Sessions in RESTful applications.
That thread provided a nice solution too: http://shiro-user.582556.n2.nabble.com/Sessions-and-REST-td6036008.html Also, Les mentioned the SHIRO-266 issue too, that will address this in future. But, these discussions above covers applications that are "this or that" (black or white) only. As we know, the culprit of initial issue was stateless clients! Clients like Maven, wget, some script, etc (stateless clients) usually does not handle Cookies, so the session created by Shiro, and it's ID sent back to stateless client is unused completely. And this is not uncommon thing (using stateless clients). Hence, we started thinking about some "hybrid" solution (and it's maybe covered by SHIRO-266 or maybe not), to allow Business Logic (the app integrating Shiro) to decide, whether a Session is not needed (in 100% RESTful apps, or when you _know_ the client is stateless) or is needed (the usual "human" interaction over a UI or such). We had a discussion about this yesterday, and concluded that the best solution for app like Nexus (which is RESTful, but we want to relax it stateless nature for some human interactions for better usability) would be a solution like this. Simply, when we _know_ it is a human user accessing Nexus, create and maintain "normal" sessions (not those per-request sessions mentioned in thread above), and when we _know_ it is non-human interacting with Nexus, don't bother with Sessions at all, be 100% strict RESTful. Just enforce every request carries authc info as REST defines. Any thoughts? Thanks, ~t~
