You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by NabbleSometimesSucks <bi...@yahoo.com> on 2013/04/22 21:41:35 UTC
Moving SessionID from cookie to RequestBody json
So I currently have Shiro working in a Spring MVC Web App with REST api, but
it is storing the sessionID in a cookie. The currentUser is being added into
ThreadLocal via the ShiroFilter created by the ShiroFilterFactoryBean.
I want to change it to not use cookies, but as part of the json body
request. Besides our web app, we are also accessing it via a non-web app,
and they are complaining about having to write all this (low level) code to
get the value from the cookie, and then having to add it in another request
as a cookie value in the Header.
I feel if I wrote a custom Filter I could do this and have this code instead
new Subject.Builder().sessionId(sessionId).buildSubject()
in it. Where I can get the sessionID from the body of the request instead of
the Header.
Anyone know how I can accomplish this?
Thanks
Mark
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Moving SessionID from cookie to RequestBody json
Posted by Les Hazlewood <lh...@apache.org>.
Just a general comment: REST APIs rarely submit identity information in the
request payload - it's just rather unconventional. It is almost always
done as a header (e.g. `Set-Cookie` or `Authorization`).
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Mon, Apr 22, 2013 at 1:21 PM, NabbleSometimesSucks <
bigtrashcaninthesky@yahoo.com> wrote:
> I actually think I should and can write the code to support both. I'll just
> have different URLs. The ones I have for cookie based approach, and other
> URLs for sessionID in the body.
>
> For the cookie based I can use
>
> SecurityUtils.getSubject();
>
> and for non Cookie based use
>
> new Subject.Builder().sessionId(sessionID).buildSubject();
>
> Thanks
>
> Mark
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645p7578646.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Moving SessionID from cookie to RequestBody json
Posted by Les Hazlewood <lh...@apache.org>.
Oops, I mean 'rarely support' - not submit.
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Fri, Apr 26, 2013 at 2:01 PM, Les Hazlewood <le...@stormpath.com> wrote:
> Just a general comment: REST APIs rarely submit identity information in
> the request payload - it's just rather unconventional. It is almost always
> done as a header (e.g. `Set-Cookie` or `Authorization`).
>
> On Mon, Apr 22, 2013 at 1:21 PM, NabbleSometimesSucks <
> bigtrashcaninthesky@yahoo.com> wrote:
>
>> I actually think I should and can write the code to support both. I'll
>> just
>> have different URLs. The ones I have for cookie based approach, and other
>> URLs for sessionID in the body.
>>
>> For the cookie based I can use
>>
>> SecurityUtils.getSubject();
>>
>> and for non Cookie based use
>>
>> new Subject.Builder().sessionId(sessionID).buildSubject();
>>
>> Thanks
>>
>> Mark
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645p7578646.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
Re: Moving SessionID from cookie to RequestBody json
Posted by NabbleSometimesSucks <bi...@yahoo.com>.
I actually think I should and can write the code to support both. I'll just
have different URLs. The ones I have for cookie based approach, and other
URLs for sessionID in the body.
For the cookie based I can use
SecurityUtils.getSubject();
and for non Cookie based use
new Subject.Builder().sessionId(sessionID).buildSubject();
Thanks
Mark
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645p7578646.html
Sent from the Shiro User mailing list archive at Nabble.com.