Greetings all,
I'm considering adding Shiro as the security framework in an existing
application with an existing proprietary security code.
My main problem is CSRF, shiro's session seems to be based on JSESSION
which is the root of many Web related attacks, In our existing code, we
pass the session ID as part of the BODY of each request so CSRF is fully
protected and session cannot be hijacked.
Is it possible to somehow integrate Shiro into an existing session
creation and management system?
For instance, I'm looking for a hook method so that when
currentUser.isAuthenticated() is called, my existing logic will be
called (that is, looking for a session ID in a rational database) and
when currentUser.login(token) is called, it will allow me to override
existing implementation and create my session id and add this to the
Database.
Thanks,
Avner.
