On 03/13/2011 02:10 PM, Avner Cohen wrote: > Greetings all, > > > > I’m considering adding Shiro as the security framework in an existing > application with an existing proprietary security code. > > > > My main problem is CSRF, shiro’s session seems to be based on JSESSION > which is the root of many Web related attacks, In our existing code, we > pass the session ID as part of the BODY of each request so CSRF is fully > protected and session cannot be hijacked. > > > > Is it possible to somehow integrate Shiro into an existing session > creation and management system? > Certainly. Check out the SessionManager interface. Basically implement a SessionManager adapter for your session management system. The SessionContext and SessionKey will give you access to the ServletRequest and you can pull your information from there.
Any SecurityManager that extends SessionsSecurityManager allows you to set the SessionManager - or if you're using shiro.ini, it can be done in there. > > > For instance, I’m looking for a hook method so that when > /currentUser.isAuthenticated() /is called, my existing logic will be > called (that is, looking for a session ID in a rational database) and > when /currentUser.login(token) /is called, it will allow me to override > existing implementation and create my session id and add this to the > Database. > > > > Thanks, > > Avner. > > >
signature.asc
Description: OpenPGP digital signature
