Hello, I'm looking at using Shiro in a server application that runs in multiple processes on multiple machines. It doesn't have a typical web-frontend to it, although there are some pieces that are exposed to the web.
I want to have sessions and such set up such that: - The client connects with a persistent connection to one of the servers. They're given a session ID and logged in. - The client can connect to other servers, provide that session ID and be automatically treated as a logged in user and hooked up to authorization correctly. For some reason, I'm having a bit of a problem wrapping my head around all of the pieces involved here, partially since there are so many different classes, all layering on each other ... So, to start, I've found that I can set up a credential matcher that always succeeds which is fine since I can do that after our existing authorization code runs. I've since forgotten where I found this code, but I can surely find it again. I've written a quick and dirty ZooKeeper-based cache for handling distributed session storage for now to avoid adding EHCache or something to our infrastructure in the next week or two. I can use that with the EnterpriseCacheSessionDAO and plug that in somewhere so that all sessions are persisted and retrieved from a ZooKeeper instance. But, what's the right way to handle the sessionID stuff? On the login server, call login on the subject and then get a session? How do I ensure that's validated? Should I be storing something into the session to tie it back to that user or is that already handled somewhere in an appropriate way? What are best practices for avoiding session hijacking and such? What support is built into Shiro for helping out with that? Hoping for a better understanding... - Bruce
