Take a look at this: https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java#L292 and https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java#L52-L53
On Fri, Jun 24, 2016 at 11:28 AM, Lenny Primak <[email protected]> wrote: > Not sure where (but I’ve seen that in the code before) > it will bind the subject (and hence the session) to the ThreadLocal storage > > But this happens in the native sessions only. > In the servlet session (default) it just delegates to whatever the servlet > container does > > On Jun 24, 2016, at 2:19 AM, Martin Nielsen <[email protected]> wrote: > > Hello Shiro Users > > I am trying to get my head around how session handling happens in > Shiro-Web. > Looking at the code, there does not seem to be any code in the filters > that sens any information to the securitymanager that has to do with > sessions. (Looking > at org.apache.shiro.web.filter.authc.AuthenticatingFilter and > FromAuthenticationFilter as well as BasicHttpAuthenticationFilter) > > How does the Web SessionManagers get this information? I see that i should > be able to get the sessions subject like this: > > http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29 > > > Serializable sessionId = //get from the inbound request or remote method > invocation payloadSubject requestSubject = new > Subject.Builder().sessionId(sessionId).buildSubject(); > > But how does the sessionmanager get this session id when it does not seem to > be sent from the login filters? > > What did i miss? > > > Thank you for the help > > -Martin > > >
