Hi, Do you have some logs?
Can you activate trace log level? regards, François [email protected] Le 14/05/2021 à 12:50, Dev a écrit : > Hello everyone, > > I noticed that the `login` method on DefaultSecurityManager always > creates a session. > In my opinion, this is not always useful; for example a http-basic > authenticated API-client > might not need a session. I tried to use > `DefaultSubjectContext#setSessionCreationEnabled(false)` > before creating the Subject that I want to login. But this setting is > not considered. > > So my question is: > Is this behavior intentional? If so, what is the reasoning? And is > there a way to prevent Shiro from > creating a session after authentication? > > Here's how I tried it in more detail: > > var securityManager = new DefaultSecurityManager(); > var ctxt = new DefaultSubjectContext(); > ctxt.setSecurityManager(securityManager); > ctxt.setSessionCreationEnabled(false); > > var subject = securityManager.createSubject(ctxt); > // the subject is now a `DelegatingSubject` with > `sessionCreationEnabled == false` > > subject.login(token); // calls securityManager#login > // The login call above caused the creation of a session. The property > `sessionCreationEnabled` was ignored. > > Thanks in advance for your help, > Claudio
