post-login listener?

[otter606 <ra...@gmail.com>]

Hello,
 First of all, as a new user to Shiro I'd just like to say what an excellent
project it is. We decided to give it a try to implement instance-based
permissions in our web application; it seems much easier to do this in Shiro
than in SPring security ACLs. 

We found the migration quite straightforward from SpringSecurity to Shiro,
however we have one outstanding issue we need help with:

Our webapp keeps track of active sessions. Previously, in SpringSecurity we
implemented a HttpSessionAttributeListener and, when a SPring session
attribute was set, we got the principal's details and added them to our
userTracker collection.

Using a similar approach in Shiro fails however - if we listen for the
'org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY'
session object, this is set BEFORE the Principal is set into the subject:
E.g., in DefaultSecurityManager#login
   Subject loggedIn = createSubject(token, info, subject); // sets session
attribute

        onSuccessfulLogin(token, info, loggedIn); // sets Principal into the
subject

So in our listener class, in method  
public void attributeAdded(HttpSessionBindingEvent event),

SecurityUtils.getSubject().getPrincipal() returns null

Is there a recommended way to hook application code into a post-login /post 
session-expired event triggered by Shiro, that we can get access to the
Subject's identity ?

Thanks very much,

Richard



--
View this message in context: http://shiro-user.582556.n2.nabble.com/post-login-listener-tp7577907.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: post-login listener?

[Les Hazlewood <lh...@apache.org>]

Hi Richard,

Glad you like using Shiro!

First, please open a Jira issue for this - I think we can arrange it such
that you see the desired behavior without problems.

Second, the way to solve this at the moment I think is to use a combination
of an AuthenticationListener and SessionListener.  The issue with the
SessionListener however is that it is only valid when using Shiro's native
session management.

Again, if you open a Jira, we can take a look at this asap.

HTH!

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk


On Fri, Nov 2, 2012 at 3:37 AM, otter606 <ra...@gmail.com> wrote:

> Hello,
>  First of all, as a new user to Shiro I'd just like to say what an
> excellent
> project it is. We decided to give it a try to implement instance-based
> permissions in our web application; it seems much easier to do this in
> Shiro
> than in SPring security ACLs.
>
> We found the migration quite straightforward from SpringSecurity to Shiro,
> however we have one outstanding issue we need help with:
>
> Our webapp keeps track of active sessions. Previously, in SpringSecurity we
> implemented a HttpSessionAttributeListener and, when a SPring session
> attribute was set, we got the principal's details and added them to our
> userTracker collection.
>
> Using a similar approach in Shiro fails however - if we listen for the
>
> 'org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY'
> session object, this is set BEFORE the Principal is set into the subject:
> E.g., in DefaultSecurityManager#login
>    Subject loggedIn = createSubject(token, info, subject); // sets session
> attribute
>
>         onSuccessfulLogin(token, info, loggedIn); // sets Principal into
> the
> subject
>
> So in our listener class, in method
> public void attributeAdded(HttpSessionBindingEvent event),
>
> SecurityUtils.getSubject().getPrincipal() returns null
>
> Is there a recommended way to hook application code into a post-login /post
> session-expired event triggered by Shiro, that we can get access to the
> Subject's identity ?
>
> Thanks very much,
>
> Richard
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/post-login-listener-tp7577907.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>