0

I have 2 osgi distributed web apps A(A1, A2) and B(B1, B2), i am using shiro to share the http sessions for single sign on so that logginng in one system logs in the other too. But I want the session data to be separated between system A and B apart from the authentication/authorization data,so I need a way to share the authentication data and separate system specific session data of A and B. I am thinking to use shiro for single sign on and use a different distributed session for each system to store system specific data, the main workflow would be :

  1. log in system A with shiro, create an another session(or some data holder object to store the session data) using the shiro session id,stores it in backend(db or cache).
  2. do stuff in system A, put session data into the session created above, writes to backend.
  3. When another request comes in system A, look for a session with the id matching the shiro session id, if found, use it, else create new one.

Does it make sense? Is it the right way to solve my problem? What is the best way? Please share your thoughts. Any input is appreciated. Thank you.

Jay Huang
  • 119
  • 2
  • 11
  • Peters answer is a nice way of doing this. You might also get some more answers about this toppic at either the Karaf or the ops4j mailing-lists. – Achim Nierbeck Feb 09 '13 at 06:48

1 Answers1

0

I've done something like that with a Servlet Filter. My HtppSession contains the authorization id which I then lookup and provide as security context for the request. If no security id is present, the client is forced to login. Obviously the security context can be held in a distribution mechanism so it is available from all systems in a cluster.

Make sure you use https between the client and the systems or otherwise someone can eavesdrop, read the cookie with the id, and login to one of the systems with the authorization of the victim. I.e. session hijacking.

Peter Kriens
  • 15,196
  • 1
  • 37
  • 55