You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by vpcoder <m....@docu.com> on 2017/09/29 11:56:57 UTC

Re: Multiple subjects in one session

Hi Brian and those who are interested in Shiro with browser's multi tab

I was a bit busy over the last weeks, so I was not able to go further on
this problem. Anyway, I'm back here on 'multiple Subjects in one Session'
and want to give a short feedback, because I have solved my 'multi tab
issue' now.

First I followed the idea from Brian to only extend the SessionManager. I
controlled the Cookie generation and created a new SessionId Cookie (and
therefore a new Session) for every new tab. I did it by appending the
Vaadin's embedId in the Cookie's name. As conclusion each ServletRequest had
multiple sessionIdCookies, one for each tab. Everything worked fine, except
that sometimes I got a ServletRequest without an embedId, which resulted in
a not authenticated Subject. I did not find out, why sometimes a request
came in without embedId. Anyway, I don't know Vaadin so much in detail when
it comes to network communication, so in my opinion, it was a bit too risky
to get this working.

That was the reason I came back to my initial idea, because that only
affects the Shiro mechanism itself, but not the VaadinSessions and
communication too (except the reading of the embedId). For storing and
reading the Sesssion's attributes 'Authenticated' and 'Principals' I added a
separate pair of them for each browser tab by appending the embedId to the
attributes name. After some bug fixing of my code, I got it to work without
any unexpected Vaadin behaviours. For realizing this, I had to extend
SubjectDAO and SubjectContext. For teaching Shiro to use those classes I had
also to extend classes like SecurityManager, SubjectFactory and Subject. The
changes are minimal and easy to understand. For the special case, where I
have to login with SSO (this is configurable by the customer), I don't want
to have a separate Subject for each tab. For this case, I added a special
Session attribute 'FORCE_SESSION_AUTH'. Using this flag I can dynamically
decide, if I need one Subject for the whole Session or for every tab.

I hope this explanation together with my initial post gives you an idea of
my solution. Please forgive me that I can not deliver all those code changes
here in the forum, because of our company's policy. But if you need some
more pointers I'm glad to give you advice.

Greets
Michi




--
Sent from: http://shiro-user.582556.n2.nabble.com/