Hi all, We have a stateless JAX-RS application that uses Shiro. Once a user has authenticated and its Subject has been put in the ThreadContext, shiro will return that Subject for all subsequent requests processed by the same Tomcat thread. Going through the logs this seems to happen because
AbstractShiroFilter#doFilterInternal calls createSubject(...) before calling subject.execute(...) createSubject somehow binds the Subject to the session, however there is no corresponding unbind call, as confirmed by the logs (see below) "Bound value of type..." and "Removed value of type..." entries. I have been pounding my head against the wall with this, any help would be greatly appreciated! Thanks, Franck Configuration Shiro.ini: ShiroFilter: web.xml: Logs The logs for the first request to come in looks like this: our Realm is invoked to authenticate the request, but there is no "Removed value of type..." anywhere in the logs so the authenticated Subject remains in the ThreadContext: The next request to come in on the same thread generates this log, our Realm is not invoked: -- Sent from: http://shiro-user.582556.n2.nabble.com/
