I am working on a mature application (Spring 3.x, Shiro 1.2.x) and have written a long-poll mechanism for making long queries to avoid browser timeouts. It works by "tunneling" HTTP calls to the server and making the calls from the server-side, i.e., "delegating" the client call to the server. But, I run into authentication issues with Shiro.
I have tried the "hack" of reusing the JSESSIONID to make the call, which works correctly sometimes but not consistently. Regardless, this seems like a work-around and not the correct approach. Is it possible http calls within the server and maintain the use of Apache Shiro? If so, how? I would really like this to work as I would like to maintain the current Shiro security per client. I have verified that the Shiro Subject on the incoming HTTP call is authenticated and that the Subject is correctly passed to the thread on which I would like to make the http call. Thanks! C2Dev
