Hi Martin, The DefaultWebSecurityManager can be used w/ non-web threads: if the current Subject is not a web subject, the DWSM will delegate to its parent class, which of course does work in non-web environments.
The key to ensuring this works cleanly is to ensure that thread cleanup occurs before and after the non-web thread executes. This is covered in the Subject documentation (http://shiro.apache.org/subject.html) - see the "Custom Subject Instances" part, along with the Thread Association sections. You basically would use a Subject.Builder to construct a Subject instance, and then call Subject.execute* to ensure the subject is bound to the thread and removed from the thread before/after execution. This is what the Shiro Filter does in a web app, but something you'd need to do yourself for non-web-request scenarios. HTH! -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com On Mon, Apr 4, 2011 at 8:09 AM, martinso <[email protected]> wrote: > Hi, > > We are successfully using the DefaultWebSecurityManager in our custom app > server (embedding jetty) to handle user web requests. Now we also have a > proprietary "non-web" service running inside the JVM in which threads should > also be executed in a Shiro context, typically for "automated agent" shiro > users and totally unrelated to any web sessions. > > What are the best practices for mixing two scenarios like this in a single > JVM where isolation with ClassLoaders is not an option? Can the > DefaultWebSecurityManager be used also in the non-web threads, or do we need > another solution? > > Any help much appreciated. > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Mixing-web-contexts-and-non-web-contexts-in-same-JVM-tp6238960p6238960.html > Sent from the Shiro User mailing list archive at Nabble.com.
