Use the same sessionDAO between different webapps

Mon, 22 Jun 2015 01:33:07 -0700 

Hello,

I'm trying to implement a simple SSO functionality using Shiro (I have a
main app <app1>, in which a user logs on and makes requests to some
servlets, and those servlets should share the session with app1). What I am
trying to do:
- enable Shiro security
- I use DefaultWebSessionManager with MemmorySessionDAO
- make a custom filter and override isAccesAllowed, and check the JSESSIONID
cookie, if it exists in sessionDAO, create the Subject and check if it is
already authenticated.

The problem is that when I look in the sessionDAO, using getActiveSessions()
in app1 I see the session, but in servlet1, getActiveSessions() returns
nothing. What do I have to do in order too see in servlet1 all the
sessions..

Here is my shiro.ini:

[users]
user = test123

[main]
customFilter = view.filter.FacesAjaxAwareUserFilter
shiro.loginUrl = /faces/login.jsf
user.loginUrl = /faces/login.jsf

logoutFilter = org.apache.shiro.web.filter.authc.LogoutFilter
logoutFilter.redirectUrl = /faces/login.jsf

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager

# Configure a SessionDAO and then set it:
#org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO = org.apache.shiro.session.mgt.eis.MemorySessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO

securityManager.sessionManager.sessionIdCookie.path = /

[urls]
/faces/logout = logout
/faces/** = customFilter


And my isAllowedFunction:
        DefaultWebSecurityManager mngr =
(DefaultWebSecurityManager)SecurityUtils.getSecurityManager();
        DefaultWebSessionManager sessionManager =
(DefaultWebSessionManager)mngr.getSessionManager();
        MemorySessionDAO dao =
(MemorySessionDAO)sessionManager.getSessionDAO();
        
        Collection<Session> coll = dao.getActiveSessions();
        if (coll != null) {
            Object[] v = coll.toArray();
            for (int i = 0; i < v.length; i++) {
                Session crt = (Session)v[i];
                String attribute = (String)crt.getAttribute("custom");
                System.out.println("Session: " + crt.getId() + ", " +
crt.getHost() + "; Attr: " + attribute);
                Subject requestSubject = new
Subject.Builder().sessionId(sessionId).buildSubject();
            }            
        }




--
View this message in context: 
http://shiro-user.582556.n2.nabble.com/Use-the-same-sessionDAO-between-different-webapps-tp7580581.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply via email to