You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Dev <no...@yahoo.com> on 2021/05/14 10:50:58 UTC

DefaultSecurityManager.login without creating a session

Hello everyone,
I noticed that the `login` method on DefaultSecurityManager always creates a session.In my opinion, this is not always useful; for example a http-basic authenticated API-clientmight not need a session. I tried to use `DefaultSubjectContext#setSessionCreationEnabled(false)`before creating the Subject that I want to login. But this setting is not considered.
So my question is:Is this behavior intentional? If so, what is the reasoning? And is there a way to prevent Shiro fromcreating a session after authentication?
Here's how I tried it in more detail:
var securityManager = new DefaultSecurityManager();
var ctxt = new DefaultSubjectContext();ctxt.setSecurityManager(securityManager);
ctxt.setSessionCreationEnabled(false);
var subject = securityManager.createSubject(ctxt);// the subject is now a `DelegatingSubject` with `sessionCreationEnabled == false`
subject.login(token); // calls securityManager#login// The login call above caused the creation of a session. The property `sessionCreationEnabled` was ignored.
Thanks in advance for your help,Claudio

Re: DefaultSecurityManager.login without creating a session

Posted by Francois Papon <fr...@openobject.fr>.

Hi,

Do you have some logs?

Can you activate trace log level?

regards,

François
fpapon@apache.org

Le 14/05/2021 à 12:50, Dev a écrit :
> Hello everyone,
>
> I noticed that the `login` method on DefaultSecurityManager always
> creates a session.
> In my opinion, this is not always useful; for example a http-basic
> authenticated API-client
> might not need a session. I tried to use
> `DefaultSubjectContext#setSessionCreationEnabled(false)`
> before creating the Subject that I want to login. But this setting is
> not considered.
>
> So my question is:
> Is this behavior intentional? If so, what is the reasoning? And is
> there a way to prevent Shiro from
> creating a session after authentication?
>
> Here's how I tried it in more detail:
>
> var securityManager = new DefaultSecurityManager();
> var ctxt = new DefaultSubjectContext();
> ctxt.setSecurityManager(securityManager);
> ctxt.setSessionCreationEnabled(false);
>
> var subject = securityManager.createSubject(ctxt);
> // the subject is now a `DelegatingSubject` with
> `sessionCreationEnabled == false`
>
> subject.login(token); // calls securityManager#login
> // The login call above caused the creation of a session. The property
> `sessionCreationEnabled` was ignored.
>
> Thanks in advance for your help,
> Claudio