The problem I have is that we are trying to use Shiro for everything, whether it's application user or end user. Both type of users are stored in data layer, which is also protected by Shiro. Think of LDAP with Shiro for security even through LDAP is the data source.
I will probably have to create a token of some kind to introduce exception in the authentication routine, but still through Shiro, possibly through a special realm to load the initial core user into the cache and automatically expires the token. The session then never expires and is kept in the cache. Do you see any issue with this approach? I'm trying to keep security the same for every layer if possible. Potentially, I may even go with Realm to utilize OS-level security info. Thanks, Jack -- View this message in context: http://shiro-user.582556.n2.nabble.com/Chicken-Egg-Issue-on-Security-tp6456259p6471704.html Sent from the Shiro User mailing list archive at Nabble.com.
