>From this post
<http://grails.1312388.n4.nabble.com/Binding-Security-Manager-to-the-thread-context-and-Shiro-tp3217915p3218140.html>
:
Typically a subject is automatically created, bound and unbound for a
thread by the ShiroFilter when servicing a web request. If your logic
is NOT triggered by a web request (e.g. via a startup or daemon
thread, or different thread (e.g. ExecutorService or thread pool)),
then you'll need to do the create/bind/unbind logic yourself. See the
Subject page for more information.
So it means, as I understand that if we connect to EJB we must do the
create/bind/unbind logic ourselves. As I understand we must send to server
sessionId and use the following code:
/Subject subject = new
Subject.Builder().sessionId(sessionId).buildSubject();/
However, testing my remote EJB from standalone client and calling testMe
method several times I see that it keeps id and user is isAuthenticated.
/public void testMe(){
Subject currentUser = SecurityUtils.getSubject();
if ( !currentUser.isAuthenticated() ) {
UsernamePasswordToken token = new
UsernamePasswordToken("lonestarr", "vespa");
System.out.println("#0:"+currentUser.getSession().getId());
currentUser.login(token);
}else{
currentUser.logout();
System.out.println("I logged out");
}
System.out.println("#1:"+currentUser.getSession().getId());
}
/
When I call it first time from my client I have:
#0:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
#1:f7b3117d-b4e0-4eef-9221-f99dbb87ecc2
When I call it second time from client I have:
I logged out
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
#0:2edcab36-cb97-4722-b91b-82ec225deb78
#1:2edcab36-cb97-4722-b91b-82ec225deb78
Again:
I logged out
#1:b92ba3f4-deb9-41f2-9a36-b571dc33f082]]
So my question - should I send sessionId to server from client or shiro uses
some mechanism to keep sessionId between client and server?
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Shiro-session-for-EJB-tp7579994.html
Sent from the Shiro User mailing list archive at Nabble.com.
