I figured it out .. . My use case is that users can request some HTML page, but I don't want to have session open for them. No need for sessions in this case. So when you call dispatcher.forward ( ... ) in servlet, your request is forwarded to JSP page and shiro process (Subject.getSessio()...) and checks are executed. Dont use noSessionCreation when you use servlet - jsp combination since servlet forwards request to your jsp. If you must, you should either write html to servlet response (which is not a good practice) or use some template framework (ie: freemarker template) to do this for you. NoSessionCreation is meant for one time requst, response calls like rest or soap as stated in docs.
Regards Armando -- Sent from: http://shiro-user.582556.n2.nabble.com/
