shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Baur <>
Subject Shiro + Spring HttpInvoker + Swing-Client, how to do?
Date Wed, 13 Jun 2012 10:37:50 GMT
Hi everybody, I am a bit lost on how to make the technology mentioned in the
subject work. Searching did not reveal information that helped me, so I'm
sending this out to the experts.

First of all, let me shortly lay out what I plan to do.
I would like to have a servlet container (tomcat or jetty) provide RPCs via
Spring HttpInvoker, these calls need to be secured by authentication and
authorization. The caller will be a Swing Client (or obviously a lot of
these) who also will be responsible for collecting the principal and
credential information, ie. they will have a login form that is opened when
they are started. No Webstart, the clients will start on their own from a
local installation.

So what I need to do ist to collect the authentication information, transfer
it to the server, perform a Shiro authentication there and then transfer the
session reference back to the client, which from then on will add this
session reference to all remaining remote calls to have a security context
bound to the calls. Or am I already wrong on this part?

Now, creating two remote calls with Spring remoting isn't that complicated.
In my example I have done an example business call, secured by a permission
requirement in the filter chain definition of the ShiroFilterFactoryBean,
and an auth call, which is bound to the anon filter (before you're
authenticated you are obviously anonymous). But I am having problems to
figure out how the session information from the successful subject.login()
call on the server is transfered back to the client and then bound to the
remoteInvocationFactory for subsequent calls. I tried to return
SecurityUtils.getSubject().getSession().getId() as the result of my auth
service and then to create a session on the client using

Serializable sessionId = authService.login(user, pass);
SimpleSession session = new SimpleSession();
Subject subject = new Subject.Builder().session(session).buildSubject();

so that I could use subject.execute(Callable) around the business call, but
for some reason beyond my current understanding no session cookie is added
to the request.

Can somebody point me to a working example somewhere please? Alternatively I
can post what I did so far in more detail, but I did not want to bloat the
mailing list in the first place in case there is already a solution at hand.
Maybe I'm just missing a point somewhere.

View this message in context:
Sent from the Shiro User mailing list archive at

View raw message