You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Stuart Broad <st...@moogsoft.com> on 2013/11/15 16:34:41 UTC

Session creation per realm or token (SSO and Username/Password)

Hi,

I am using 'core' shiro (not spring based) and would like to do the
following but am not sure how to achieve it:

*Case A:*
Users will log into the system using a username and password
(UsernamePasswordToken).  This authentication takes place once and after
logging in a persistent session will be created (this session will be
deleted once logged out our timed out).  This session has an id which is
used for future requests.

*Case B:*
User information will be passed in a HTTP header (SSOToken) and the user
will be 'authenticated' every time.


I can achieve either of the above scenarios by configuring the security
manager (my realm can handle either type of login token).


*Problem:*
The problem is I need the code to handle both case A and case B at the same
time.  Handling the login token is not a problem but I am not sure how to
handle the session.  What I would like to do is for case A create a
persistent session and for case B create a throw away in memory session (or
no session at all).

*Possible Solutions:*
If there was a way to link the session management to a realm then perhaps I
could use two different realms (one for the username/password and the other
for the sso token).

Perhaps there is a way to write a custom session manager that will create
different types of session depending upon the context.


Any suggestions?

Cheers,

Stuart

Re: Session creation per realm or token (SSO and Username/Password)

Posted by Stuart Broad <st...@moogsoft.com>.

Ok so that didn't work for me.  The way I have resolved it is by creating
an 'sso session' which I set on the Subject.Builder so that the subject
uses that session.  My SessionDAO is written so that it does not persist
any 'sso' sessions.

Cheers,

Stuart


On Mon, Nov 18, 2013 at 4:38 PM, Stuart Broad <st...@moogsoft.com> wrote:

> I haven't tested this yet but I think the solution will be to use
> Subject.Builder:
>
>  .sessionCreationEnabled(false)
>
>
> On Fri, Nov 15, 2013 at 3:34 PM, Stuart Broad <st...@moogsoft.com> wrote:
>
>> Hi,
>>
>> I am using 'core' shiro (not spring based) and would like to do the
>> following but am not sure how to achieve it:
>>
>> *Case A:*
>> Users will log into the system using a username and password
>> (UsernamePasswordToken).  This authentication takes place once and after
>> logging in a persistent session will be created (this session will be
>> deleted once logged out our timed out).  This session has an id which is
>> used for future requests.
>>
>> *Case B:*
>> User information will be passed in a HTTP header (SSOToken) and the user
>> will be 'authenticated' every time.
>>
>>
>> I can achieve either of the above scenarios by configuring the security
>> manager (my realm can handle either type of login token).
>>
>>
>> *Problem:*
>> The problem is I need the code to handle both case A and case B at the
>> same time.  Handling the login token is not a problem but I am not sure how
>> to handle the session.  What I would like to do is for case A create a
>> persistent session and for case B create a throw away in memory session (or
>> no session at all).
>>
>> *Possible Solutions:*
>> If there was a way to link the session management to a realm then perhaps
>> I could use two different realms (one for the username/password and the
>> other for the sso token).
>>
>> Perhaps there is a way to write a custom session manager that will create
>> different types of session depending upon the context.
>>
>>
>> Any suggestions?
>>
>> Cheers,
>>
>> Stuart
>>
>
>

Re: Session creation per realm or token (SSO and Username/Password)

Posted by Stuart Broad <st...@moogsoft.com>.

I haven't tested this yet but I think the solution will be to use
Subject.Builder:

 .sessionCreationEnabled(false)


On Fri, Nov 15, 2013 at 3:34 PM, Stuart Broad <st...@moogsoft.com> wrote:

> Hi,
>
> I am using 'core' shiro (not spring based) and would like to do the
> following but am not sure how to achieve it:
>
> *Case A:*
> Users will log into the system using a username and password
> (UsernamePasswordToken).  This authentication takes place once and after
> logging in a persistent session will be created (this session will be
> deleted once logged out our timed out).  This session has an id which is
> used for future requests.
>
> *Case B:*
> User information will be passed in a HTTP header (SSOToken) and the user
> will be 'authenticated' every time.
>
>
> I can achieve either of the above scenarios by configuring the security
> manager (my realm can handle either type of login token).
>
>
> *Problem:*
> The problem is I need the code to handle both case A and case B at the
> same time.  Handling the login token is not a problem but I am not sure how
> to handle the session.  What I would like to do is for case A create a
> persistent session and for case B create a throw away in memory session (or
> no session at all).
>
> *Possible Solutions:*
> If there was a way to link the session management to a realm then perhaps
> I could use two different realms (one for the username/password and the
> other for the sso token).
>
> Perhaps there is a way to write a custom session manager that will create
> different types of session depending upon the context.
>
>
> Any suggestions?
>
> Cheers,
>
> Stuart
>