Moving SessionID from cookie to RequestBody json

[NabbleSometimesSucks <bi...@yahoo.com>]

So I currently have Shiro working in a Spring MVC Web App with REST api, but
it is storing the sessionID in a cookie. The currentUser is being added into
ThreadLocal via the ShiroFilter created by the ShiroFilterFactoryBean.

I want to change it to not use cookies, but as part of the json body
request. Besides our web app, we are also accessing it via a non-web app,
and they are complaining about having to write all this (low level) code to
get the value from the cookie, and then having to add it in another request
as a cookie value in the Header.

I feel if I wrote a custom Filter I could do this and have this code instead

new Subject.Builder().sessionId(sessionId).buildSubject()

in it. Where I can get the sessionID from the body of the request instead of
the Header.

Anyone know how I can accomplish this?

Thanks

Mark



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Moving SessionID from cookie to RequestBody json

[Les Hazlewood <lh...@apache.org>]

Just a general comment: REST APIs rarely submit identity information in the
request payload - it's just rather unconventional.  It is almost always
done as a header (e.g. `Set-Cookie` or `Authorization`).

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282


On Mon, Apr 22, 2013 at 1:21 PM, NabbleSometimesSucks <
bigtrashcaninthesky@yahoo.com> wrote:

> I actually think I should and can write the code to support both. I'll just
> have different URLs. The ones I have for cookie based approach, and other
> URLs for sessionID in the body.
>
> For the cookie based I can use
>
> SecurityUtils.getSubject();
>
> and for non Cookie based use
>
> new Subject.Builder().sessionId(sessionID).buildSubject();
>
> Thanks
>
> Mark
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645p7578646.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Moving SessionID from cookie to RequestBody json

[Les Hazlewood <lh...@apache.org>]

Oops, I mean 'rarely support' - not submit.

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282


On Fri, Apr 26, 2013 at 2:01 PM, Les Hazlewood <le...@stormpath.com> wrote:

> Just a general comment: REST APIs rarely submit identity information in
> the request payload - it's just rather unconventional.  It is almost always
> done as a header (e.g. `Set-Cookie` or `Authorization`).
>
> On Mon, Apr 22, 2013 at 1:21 PM, NabbleSometimesSucks <
> bigtrashcaninthesky@yahoo.com> wrote:
>
>> I actually think I should and can write the code to support both. I'll
>> just
>> have different URLs. The ones I have for cookie based approach, and other
>> URLs for sessionID in the body.
>>
>> For the cookie based I can use
>>
>> SecurityUtils.getSubject();
>>
>> and for non Cookie based use
>>
>> new Subject.Builder().sessionId(sessionID).buildSubject();
>>
>> Thanks
>>
>> Mark
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645p7578646.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>

Re: Moving SessionID from cookie to RequestBody json

[NabbleSometimesSucks <bi...@yahoo.com>]

I actually think I should and can write the code to support both. I'll just
have different URLs. The ones I have for cookie based approach, and other
URLs for sessionID in the body.

For the cookie based I can use

SecurityUtils.getSubject();

and for non Cookie based use

new Subject.Builder().sessionId(sessionID).buildSubject();

Thanks

Mark



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Moving-SessionID-from-cookie-to-RequestBody-json-tp7578645p7578646.html
Sent from the Shiro User mailing list archive at Nabble.com.