Hi guys, I am using Shiro 1.2.0 to implement cross-app SSO, with subjects shared between multiple apps. The sessions are persisted using custom SessionDAO based on Apache Cayenne.
Originally I ran into a problem with 'native' Shiro sessions. With 'native' sessions on, an HttpSession is just a proxy to a Shiro session. When application A saves an attribute (unrelated to Shiro) in an HttpSession, this gets persisted via SessionDAO. Later application B deserializes that session, and gets a bunch of attributes it doesn't care about (even worse - it may attempt to deserialize classes it doesn't have, resulting in exceptions). So here we have undesired expansion of HttpSession scope. To separate Shiro sessions from HttpSessions, I switched to "servlet container sessions" (WebSessionManager returns "true" for 'isServletContainerSessions'). A bit counterintuitive, as SessionManager still uses a CayenneSessionDAO. This works more or less ok, but today I discovered a related problem - if 'servletContainerSessions' is true, ShiroFilter would not call 'updateSessionLastAccessTime'. While I can create my own Shiro filter, at this point I figured I'd consult the community - maybe I am moving in the wrong direction with the whole session management mechanism here? Thoughts? Thanks, Andrus
