IIRC you _should_ be able to use the same SecurityManager for web and non-web requests.
However, two different SecurityManager's with the same Realm may cause issues, especially if they are using caches. We have a Spring RMI example here: https://github.com/apache/shiro/blob/f782eb1084df73eff3e2ac0f9780cb4a4f429041/support/spring/src/main/java/org/apache/shiro/spring/remoting/SecureRemoteInvocationExecutor.java (It's been a while since I've done anything with RMI, so someone else might be able to give you better advice) On Fri, Nov 20, 2020 at 3:14 PM Alex Orlov <[email protected]> wrote: > I have an application that can be accessed by http and rmi protocols. > > When an user uses http protocol he passes shiro web filter — everything is > clear here, no problem. > I wanted to use the same SecurityManager and for rmi protocol, but, of > course, it didn’t work: > > 22:21:44.599 [HTTP-Dispatcher] WARN > org.apache.shiro.authc.AbstractAuthenticator - Authentication failed for > token submission [myapp.security.AuthenticationToken@325c75dc]. Possible > unexpected error? (Typical or expected login exceptions should extend from > AuthenticationException). > java.lang.IllegalArgumentException: SessionContext must be an HTTP > compatible implementation. > at > org.apache.shiro.web.session.mgt.ServletContainerSessionManager.createSession(ServletContainerSessionManager.java:103) > ~[shiro-all-1.7.0.jar:?] > at > org.apache.shiro.web.session.mgt.ServletContainerSessionManager.start(ServletContainerSessionManager.java:64) > ~[shiro-all-1.7.0.jar:?] > at > org.apache.shiro.mgt.SessionsSecurityManager.start(SessionsSecurityManager.java:152) > ~[shiro-all-1.7.0.jar:?] > at > org.apache.shiro.subject.support.DelegatingSubject.getSession(DelegatingSubject.java:340) > ~[shiro-all-1.7.0.jar:?] > > As I understand, for rmi server I must create another security manager: > SecurityManager securityManager = new DefaultSecurityManager(myRealm); > > Could anyone say — if it is possible to use the same Realm instance > (already initialized) for the second security manager? > > > -- > Best regards, Alex Orlov >
