I completely missed the AbstractShiroFilter WebSubject instantiation. Thanks:)
On Fri, Jun 24, 2016 at 6:37 PM, Brian Demers <[email protected]> wrote: > Take a look at this: > > https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java#L292 > and > > https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java#L52-L53 > > On Fri, Jun 24, 2016 at 11:28 AM, Lenny Primak <[email protected]> > wrote: > >> Not sure where (but I’ve seen that in the code before) >> it will bind the subject (and hence the session) to the ThreadLocal >> storage >> >> But this happens in the native sessions only. >> In the servlet session (default) it just delegates to whatever the >> servlet container does >> >> On Jun 24, 2016, at 2:19 AM, Martin Nielsen <[email protected]> wrote: >> >> Hello Shiro Users >> >> I am trying to get my head around how session handling happens in >> Shiro-Web. >> Looking at the code, there does not seem to be any code in the filters >> that sens any information to the securitymanager that has to do with >> sessions. (Looking >> at org.apache.shiro.web.filter.authc.AuthenticatingFilter and >> FromAuthenticationFilter as well as BasicHttpAuthenticationFilter) >> >> How does the Web SessionManagers get this information? I see that i >> should be able to get the sessions subject like this: >> >> http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29 >> >> >> Serializable sessionId = //get from the inbound request or remote method >> invocation payloadSubject requestSubject = new >> Subject.Builder().sessionId(sessionId).buildSubject(); >> >> But how does the sessionmanager get this session id when it does not seem to >> be sent from the login filters? >> >> What did i miss? >> >> >> Thank you for the help >> >> -Martin >> >> >> >
