You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Andrus Adamchik <aa...@gmail.com> on 2012/09/19 23:58:15 UTC

Splitting Shiro sessions from HttpSessions

Hi guys,

I am using Shiro 1.2.0 to implement cross-app SSO, with subjects shared between multiple apps. The sessions are persisted using custom SessionDAO based on Apache Cayenne. 

Originally I ran into a problem with 'native' Shiro sessions. With 'native' sessions on, an HttpSession is just a proxy to a Shiro session. When application A saves an attribute (unrelated to Shiro) in an HttpSession, this gets persisted via SessionDAO. Later application B deserializes that session, and gets a bunch of attributes it doesn't care about (even worse - it may attempt to deserialize classes it doesn't have, resulting in exceptions). 

So here we have undesired expansion of HttpSession scope. To separate Shiro sessions from HttpSessions, I switched to "servlet container sessions" (WebSessionManager returns "true" for 'isServletContainerSessions'). A bit counterintuitive, as SessionManager still uses a CayenneSessionDAO. 

This works more or less ok, but today I discovered a related problem - if 'servletContainerSessions' is true, ShiroFilter would not call 'updateSessionLastAccessTime'. While I can create my own Shiro filter, at this point I figured I'd consult the community - maybe I am moving in the wrong direction with the whole session management mechanism here?

Thoughts?

Thanks,
Andrus