You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Matt Mitchell <go...@gmail.com> on 2014/05/03 21:16:29 UTC

question about ThreadContent bind

Hi,

I have Shiro setup in a web app (not using shiro.web). Upon successful
login, a cookie is created. The value of the cookie is the same ID from
subject.getSession().getId() method. On the next request, I simply look for
this cookie and extract the value/decrypt and then do this:

create a new DefaultSubjectContext instance
set the sessionId via setSessionId($value-from-cookie-here)
call createSubject(subjectContext) on the security manager
then call ThreadContext.bind(newSubject)

It all works, but is this the recommended way to bind a session based user?
Also, should I be unbinding at the end of the request before sending the
response?

Just looking for feedback.

- Matt

Re: question about ThreadContent bind

Posted by Brian Demers <br...@gmail.com>.

Any reason why you don't just use shiro-web ?
Either way, take a look at that module to see the related usage:
https://github.com/apache/shiro/blob/trunk/web/src/main/java/org/apache/shiro/web


On Sat, May 3, 2014 at 3:16 PM, Matt Mitchell <go...@gmail.com> wrote:

> Hi,
>
> I have Shiro setup in a web app (not using shiro.web). Upon successful
> login, a cookie is created. The value of the cookie is the same ID from
> subject.getSession().getId() method. On the next request, I simply look for
> this cookie and extract the value/decrypt and then do this:
>
> create a new DefaultSubjectContext instance
> set the sessionId via setSessionId($value-from-cookie-here)
> call createSubject(subjectContext) on the security manager
> then call ThreadContext.bind(newSubject)
>
> It all works, but is this the recommended way to bind a session based
> user? Also, should I be unbinding at the end of the request before sending
> the response?
>
> Just looking for feedback.
>
> - Matt
>