You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Martin Nielsen <mn...@gmail.com> on 2016/06/24 07:19:41 UTC
How does session handling actually happen in Shiro-Web?
Hello Shiro Users
I am trying to get my head around how session handling happens in Shiro-Web.
Looking at the code, there does not seem to be any code in the filters that
sens any information to the securitymanager that has to do with sessions.
(Looking at org.apache.shiro.web.filter.authc.AuthenticatingFilter and
FromAuthenticationFilter as well as BasicHttpAuthenticationFilter)
How does the Web SessionManagers get this information? I see that i should
be able to get the sessions subject like this:
http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29
Serializable sessionId = //get from the inbound request or remote
method invocation payloadSubject requestSubject = new
Subject.Builder().sessionId(sessionId).buildSubject();
But how does the sessionmanager get this session id when it does not
seem to be sent from the login filters?
What did i miss?
Thank you for the help
-Martin
Re: How does session handling actually happen in Shiro-Web?
Posted by Martin Nielsen <mn...@gmail.com>.
I completely missed the AbstractShiroFilter WebSubject instantiation.
Thanks:)
On Fri, Jun 24, 2016 at 6:37 PM, Brian Demers <br...@gmail.com>
wrote:
> Take a look at this:
>
> https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java#L292
> and
>
> https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java#L52-L53
>
> On Fri, Jun 24, 2016 at 11:28 AM, Lenny Primak <lp...@hope.nyc.ny.us>
> wrote:
>
>> Not sure where (but I’ve seen that in the code before)
>> it will bind the subject (and hence the session) to the ThreadLocal
>> storage
>>
>> But this happens in the native sessions only.
>> In the servlet session (default) it just delegates to whatever the
>> servlet container does
>>
>> On Jun 24, 2016, at 2:19 AM, Martin Nielsen <mn...@gmail.com> wrote:
>>
>> Hello Shiro Users
>>
>> I am trying to get my head around how session handling happens in
>> Shiro-Web.
>> Looking at the code, there does not seem to be any code in the filters
>> that sens any information to the securitymanager that has to do with
>> sessions. (Looking
>> at org.apache.shiro.web.filter.authc.AuthenticatingFilter and
>> FromAuthenticationFilter as well as BasicHttpAuthenticationFilter)
>>
>> How does the Web SessionManagers get this information? I see that i
>> should be able to get the sessions subject like this:
>>
>> http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29
>>
>>
>> Serializable sessionId = //get from the inbound request or remote method invocation payloadSubject requestSubject = new Subject.Builder().sessionId(sessionId).buildSubject();
>>
>> But how does the sessionmanager get this session id when it does not seem to be sent from the login filters?
>>
>> What did i miss?
>>
>>
>> Thank you for the help
>>
>> -Martin
>>
>>
>>
>
Re: How does session handling actually happen in Shiro-Web?
Posted by Brian Demers <br...@gmail.com>.
Take a look at this:
https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java#L292
and
https://github.com/apache/shiro/blob/1.2.x/web/src/main/java/org/apache/shiro/web/filter/authc/AuthenticatingFilter.java#L52-L53
On Fri, Jun 24, 2016 at 11:28 AM, Lenny Primak <lp...@hope.nyc.ny.us>
wrote:
> Not sure where (but I’ve seen that in the code before)
> it will bind the subject (and hence the session) to the ThreadLocal storage
>
> But this happens in the native sessions only.
> In the servlet session (default) it just delegates to whatever the servlet
> container does
>
> On Jun 24, 2016, at 2:19 AM, Martin Nielsen <mn...@gmail.com> wrote:
>
> Hello Shiro Users
>
> I am trying to get my head around how session handling happens in
> Shiro-Web.
> Looking at the code, there does not seem to be any code in the filters
> that sens any information to the securitymanager that has to do with
> sessions. (Looking
> at org.apache.shiro.web.filter.authc.AuthenticatingFilter and
> FromAuthenticationFilter as well as BasicHttpAuthenticationFilter)
>
> How does the Web SessionManagers get this information? I see that i should
> be able to get the sessions subject like this:
>
> http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29
>
>
> Serializable sessionId = //get from the inbound request or remote method invocation payloadSubject requestSubject = new Subject.Builder().sessionId(sessionId).buildSubject();
>
> But how does the sessionmanager get this session id when it does not seem to be sent from the login filters?
>
> What did i miss?
>
>
> Thank you for the help
>
> -Martin
>
>
>
Re: How does session handling actually happen in Shiro-Web?
Posted by Lenny Primak <lp...@hope.nyc.ny.us>.
Not sure where (but I’ve seen that in the code before)
it will bind the subject (and hence the session) to the ThreadLocal storage
But this happens in the native sessions only.
In the servlet session (default) it just delegates to whatever the servlet container does
> On Jun 24, 2016, at 2:19 AM, Martin Nielsen <mn...@gmail.com> wrote:
>
> Hello Shiro Users
>
> I am trying to get my head around how session handling happens in Shiro-Web.
> Looking at the code, there does not seem to be any code in the filters that sens any information to the securitymanager that has to do with sessions. (Looking at org.apache.shiro.web.filter.authc.AuthenticatingFilter and FromAuthenticationFilter as well as BasicHttpAuthenticationFilter)
>
> How does the Web SessionManagers get this information? I see that i should be able to get the sessions subject like this:
> http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29 <http://shiro.apache.org/session-management.html#SessionManagement-StatefulApplications%28Sessionsallowed%29>
> Serializable sessionId = //get from the inbound request or remote method invocation payload
> Subject requestSubject = new Subject.Builder().sessionId(sessionId).buildSubject();
> But how does the sessionmanager get this session id when it does not seem to be sent from the login filters?
> What did i miss?
>
> Thank you for the help
> -Martin